VIRUS-L Digest Monday, 27 Nov 1989 Volume 2 : Issue 248 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: "Where Did They Come From" Potential impact of internet worm Anti-virus industry research Re: high-level language viruses fPRT is **not** a virus (Mac) Stoned Virus Killer (PC) "Viruses" that mutate... Non-executable viruses Re: 80386 and viruses (PC and UNIX) Re: Known PC Virus List (PC) New virus: "Jude" (Mac) EAGLE.EXE 2nd Version Discovered (PC) DIR EXEC on VM (VM/CMS) EAGLE.EXE 2nd Version Discovered (PC) DIR EXEC on VM (VM/CMS) Re: Using Relay for real time conference (BITNET) The DIR EXEC consequences... (VM/CMS) --------------------------------------------------------------------------- Date: Wed, 22 Nov 89 11:05:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: "Where Did They Come From" Thanks to Fridrik Skulason for his contribution. It sustains my intuitive observation that Israel's merely two million people are disproportionately represented as sources. Perhaps they have too much time on their hands. Perhaps someone there fails to realize his own interest in an orderly sandbox. While we have been totally ineffective, not to say inept, in identifying virus authors, there would seem to be an advantage to starting in a small population with a lot of clues. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Wed, 22 Nov 89 12:44:00 -0500 From: TMPLee@DOCKMASTER.ARPA Subject: Potential impact of internet worm Gene Spafford notes that the Morris worm (I still prefer to call it a virus; afterall, it DID use the machinery of what it was infecting to propagate itself) only infected 5% of the machines on a known-to-be-insecure net. It was stopped because it was noticed. It was noticed because of bugs that made it replicate much faster than was intended. Has anyone estimated how far it would have gotten had those bugs not been there, i.e., if it had replicated so slowly as not to be noticed? ------------------------------ Date: Wed, 22 Nov 89 13:35:00 -0400 From: RASIEL72@wharton.upenn.edu Subject: Anti-virus industry research I am an MBA student at the Wharton School, U. of Pennsylvania researching the anti-virus software industry for a course in entrepreneurial management. I would greatly appreciate a list of *comercial* anti-viral packages with a basic description of what they do (detection, removal, etc.) and the addresses and/or telephone #s of their publishers. Since the field keeps changing so quickly (that's why I'm studying it) it's very difficult for those of us not involved directly with the industry to keep abreast. Please send any info, comments or observations on the industry to: Rasiel72@Wharton.upenn.edu Thanks very much in advance and best regards from: Ethan M. Rasiel Wharton School, U. of PA Philadelphia, PA ------------------------------ Date: Wed, 22 Nov 89 14:19:43 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Re: high-level language viruses In Virus-L V2 #247, Fridrick Skulason (frisk@rhi.hi.is) asks about viruses written in higher-level languages. An oft ignored fact of HLL viruses is that some do have the ability to spread between machines running the same HLL. For example, Smalltalk-80 operates on Macs, PS/2s, and 286 based PCs. Now suppose I write a virus that is written in Smalltalk-80. It will not infect, say, the System file on a Mac, or the .COM files on PCs, but it could spread from Smalltalk-80 Mac to Smalltalk-80 286. A precursor to this was the Dukakis Virus of last year. The Dukakis virus was written in Hyperscript, the programming language behind Apple written in Hyperscript, the programming language behind Apple's Hypercard product. We are seeing Hypercard compatible products for MS-DOS (Spinnaker's Plus product for the Mac and PC -- See MacWeek 21-Nov). Consequently, Dukakis type viruses could pose threats to both Macs and PCs, although only to a subgroup of those platforms (those running the infectable application). ------------------------------ Date: Thu, 23 Nov 89 22:02:58 +0000 From: biar!trebor@uunet.uu.net (Robert J Woodhead) Subject: fPRT is **not** a virus (Mac) Reports are flying around a variety of networks concerning an alleged virus that leaves a "fPRT 0" resource in the Finder and other files. fPRT 0 is created by the finder (and some other programs) when the user changes the default print settings with "Page Setup..." It is not evidence of a virus. The resource is about 120 bytes long and does not contain code. In any case, absent some other mechanism, it could never be executed anyway. While there may be some new virus out there (odds favor there not being one, if my experience is any guide), fPRT 0 has nothing to do with it. Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: 24 Nov 89 00:40:41 +0000 From: M.Jones@massey.ac.nz Subject: Stoned Virus Killer (PC) I have seen a couple of postings asking about programs for zapping the 'Stoned' virus. There is one called KILLER written by someone at Victoria University in NZ that removes the virus and restores the old boot sector (I believe). I checked on the SIMTEL20 archives and it doesn't seem to be there so don't know if it is easily obtainable outside of NZ. I can post it to this group or get it put somewhere accessible if this is the case. ############################################################################# # \|||/ Michael Jones Phone: +64 +63 69099 Ext 7816# # / \ Computer Science Dept Fax: 63-505-611 # # / O O \ Massey University E-mail: M.Jones@massey.ac.nz # # =000====U====000= Palmerston North, NZ # ############################################################################# ------------------------------ Date: Wed, 22 Nov 89 16:11:12 -0500 From: FASTEDDY@MATRIX.GSFC.NASA.GOV (John McMahon) Subject: "Viruses" that mutate... ***> From: Peter Zukoski ***> Subject: followup on mind viruses ***> ***> Dear virus-folk: thanks for all the responses to Richard Dawkins ***> questions. Here's some further thoughts from Richard on the topic of ***> mind viruses...He and I would be interested in your opinions, especially ***> on evolving/mutating virus technology. Has anyone seen viri which ***> evolve, or mutate in response to the environment which it is in? Or viri ***> which recognize and "use" other viri which might be present? The recent attacks by the WANK worm on the "World DECnet" was an example of a program that "evolved" and "mutated" as it propagated through the network. It "evolved" such that it added to itself when it learned a new common username to attack. Each new common username added an additional line to the code, thus making the worm a little bit "smarter". It "mutated" such that the program would delete certain routines if the program determined that certain conditions applied. These conditions were related to it's discovery on the network. Admittably, these are simple examples. But they may be an indication of things to come. /------------------------------------+----------------------------------------\ |John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office|Internet: FASTEDDY@DFTNIC.GSFC.NASA.GOV | |Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 | Phone: 301-286-2045 (FTS: 888-2045) | +------------------------------------+----------------------------------------+ |X.400 Telenet Mail: (C:USA,ADMD:TELEMAIL,PRMD:GSFC,O:GSFCMAIL,UN:JMCMAHON) | |GSFC XNS (3+Mail): {FASTEDDY@DFTNIC.GSFC.NASA.GOV}:INTERNET:GSFC | +-----------------------------------------------------------------------------+ |"Living a 9600 Baud Lifestyle in a 1200 Baud World" - R.A.J. | \-----------------------------------------------------------------------------/ ------------------------------ Date: Wed, 22 Nov 89 01:52:21 -0800 From: John Goodman Subject: Non-executable viruses I am puzzled by something. Last summer I recall seeing an article about a virus that infected spreadsheets. That's right, spreadsheets, not spreadsheet programs. (Sorry, I don't recall either the author's name or the name of the article. I was given a copy, so I am unsure where or even if it was printed for wide distribution.) The described virus's method of action was an auto-executing macro that was hidden somewhere in a large spreadsheet where it was unlikely to be noticed, yet whenever the spreadsheet was loaded it would "do its thing." Since, this author asserted, modern spreadsheet programs often have very powerful macro languages including access to DOS functions and running DOS programs and an auto-execute feature, it is possible to write a comparably powerful virus in this fashion. Naturally, such a virus would not be found by looking only at .EXE and .COM files (plus the boot sector). It could only be found by looking inside the worksheets and knowing something of the nature of their storage of that kind of macro (a knowledge that would vary by the brand and release of the various spreadsheet program on the market). What puzzles me is that this author said he had withheld saying anything about his ideas along this line until he had actually seen a live sample of such a virus. Then he did experiments in his lab to confirm his notion of what was going on, then wrote it all up in the paper I saw. I have seen nothing here about this problem, nor do the VIRUSCAN programs look for any such viruses. Has anyone here seen such a virus? Are there any programs that do check for such? Is there anyone concerned about this (potential or actual ??) problem? I also note that a similar virus problem could manifest with bogus code being included in any source file that would be "run" through an interpreter on any computer system (which includes a lot of games in interpreted BASIC, often distributed in a fashion that makes it at least very difficult to list their contents), so we are not really only talking here about spreadsheets and PCs. I am not sounding an alert, as I have not seen any such virus myself. I am instead voicing a concern and asking for references to any programs that might help one protect one's computer(s) (PC systems in particular) against that sort of threat. - ----------------------------------------------------------------------------- John M. Goodman, Ph.D. GOOD CODE WORKS P. O. Box 746, Westminster, CA 92684-0746 (714) 895-3195 (voice) uucp: ...!lll-winken.llnl.gov!spsd!stanton!john - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 22 Nov 89 13:02:18 -0600 From: Peter da Silva Subject: Re: 80386 and viruses (PC and UNIX) In article <0004.8911212031.AA18181@ge.sei.cmu.edu> you write: > peter%ficc@uunet.UU.NET (Peter da Silva) writes... > >It's called "Merge 386" or "Vp/IX". > >[Ed. These products, by the way, are DOS emulation boxes for i386 > >based UNIX and XENIX products.] > Would someone elaborate on this? Surely a program (virus or otherwise) > running under the emulator could do the same things, including deleting all > the files it can find, as on DOS. What protection is provided? DOS runs as a UNIX task subject to the UNIX protection mechanisms. In particular, it does not have direct access to the hardware unless deliberately configured that way, and it does not have permission to write any files that a normal UNIX task could not write. There is also no backdoor to the file system via any BIOS. So it's not subject to infection by standard DOS virus techniques, and even if the DOS emulator becomes infected the damage would be limited to the DOS-accesible files in a single user's account. It's also not possible to directly read or write the configuration files from DOS, because they're owned by the superuser and protected from writing. Now it should be possible to write a virus that would deliberately infect DOS under UNIX systems (by setting up a trojan horse, for example), but this would be a second-level effect... and the number of such systems is much smaller than pure-DOS systems (a 386 box costs something like 5 times an XT) that it's not a very tempting target. `-_-' Peter da Silva . 'U` -------------- +1 713 274 5180. "The basic notion underlying USENET is the flame." -- Chuq Von Rospach, chuq@Apple.COM ------------------------------ Date: 23 Nov 89 09:40:02 +0000 From: nyenhuis@idca.tds.PHILIPS.nl (G. Nijenhuis) Subject: Re: Known PC Virus List (PC) CHESS@YKTVMV.BITNET (David.M..Chess) writes: >Quite welcome for the format, and thanks for the acknowledgement! > >Nice list! Was there a complete Virus list posted to this group ? If so, I missed it. We had some troubles with the net news over here and missed a lot. I am very interested in this list, so would somebody please be so kind to send it (or post it) to me ? Many thanks in advance. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Gerrit Nijenhuis Internet : nyenhuis@idca.tds.PHILIPS.nl # # Philips TDS, Dept. SSP UUCP : ...!mcvax!philapd!nyenhuis # # Apeldoorn, The Netherlands Phone : +31 55 433327 # ------------------------------ Date: 24 Nov 89 15:10:09 +0100 From: Markus Mueller Subject: New virus: "Jude" (Mac) A new variant of the nVir virus has shown up here at ETH, Zurich, Switzerland. Infected applications show a "CODE" 256 and various "Jude" resources. VirusDetective 3.1 does detect the virus while Disinfectant 1.2 does not. More details will follow. Markus Mueller Communications Systems Group Eidgenoessische Technische Hochschule CH-8092 Zurich Switzerland Switch : muellerm@inf.ethz.ch ARPA : muellerm%inf.ethz.ch@relay.cs.net UUCP : muellerm%inf.ethz.ch@cernvax.uucp X.400 : G=markus;S=mueller;OU=inf;O=ethz;P=ethz;A=arcom;C=ch ------------------------------ Date: Sun, 26 Nov 89 09:46:00 -0500 From: IA88000 Subject: EAGLE.EXE 2nd Version Discovered (PC) Samples of a second version of EAGLE.EXE have been received from both Washington and Wichita during the past several days. These are similar to the original EAGLE.EXE file with one main difference. These new copies contain a modified form of the AIDS virus. As per the first version, SCAN.EXE will not detect the virus in this new version of EAGLE.EXE. Please see VIRUS-L for a more thorough follow up. ------------------------------ Date: Sun, 26 Nov 89 16:11:56 -0500 From: Carsten Zimmer Subject: DIR EXEC on VM (VM/CMS) last night I received an EXEC named 'DIR EXEC' which proposed only do list CMS-files in a MSDOS convenient format. It does it, ok, but in addition it also sends itself to all entries in your NAMES and NETLOG file. It's the sam story as with CHRISTMAS EXEC which last year clittered up the networks. regards, Carsten ------------------------------ Date: Sun, 26 Nov 89 09:46:00 -0500 From: IA88000 Subject: EAGLE.EXE 2nd Version Discovered (PC) I should have know better than to think my last report was the final report on this subject. Over the past several days a NEW version of EAGLE.EXE was discovered in Washington and Wichita. This new version contains the same "trojan", ie; if COMMAND.COM is found in the ROOT directory, AND if the system has a '286, '386, or '486 CPU, EAGLE.EXE will proceed to overwrite the Boot sector and both FAT's as well as several other sectors with an ASCII 246. The major difference is that the new version of EAGLE.EXE has a new strain of the AIDS virus, which is alive, well and infectious. EAGLE.EXE was again compressed, which stops "SCAN.EXE" from recognizing the virus contained in the file. Here is all we know about the two versions of EAGLE.EXE: EAGLE.EXE - Version 1 contains the Jerusalem B virus and a very nasty trojan which will check for COMMAND.COM in the root and if it is found and if the CPU is a '286 or higher, EAGLE.EXE Ver. 1 will overwrite the Boot sector and both FAT's with ASCII 246. EAGLE.EXE - Version 2 - Same as above except it contains a new strain of the AIDS virus. Both programs were written in Quick Basic and compiled using BASCOM. Both programs are compiled and compressed in such a way as to prevent a normal scanning utility from detecting the viruses in these files. A floppy disk can be protected from the trojan by a write protect tab. Both of the viruses are currently active. The trojan part of each IS NOT part of the virus. Now for the good news: EAGLSCAN which was made available by the people at SWE has been modified to detect both versions of EAGLE.EXE and is currently being made available to VIRUS-L readers, FREE of CHARGE, by simply sending a formatted 5.25 inch 360k disk with a return address label and RETURN POSTAGE (stamps ok) to the following address: SWE 132 Heathcote Road Elmont, New York 11003 You will receive the latest version of EAGLSCAN, which can detect and warn you if either version of EAGLE.EXE is present. There is no charge for the program, but PLEASE....include postage (stamps ok)! The people at SWE have gone out of their way to help in this matter and it is only fair to include postage. Of the three hundred requests received so far, twenty three of them did not include return postage. SWE has decided to return these disks, via Parcel Post, so those who did not send postage will receive the program, as soon as the US Mail service gets around to delivering their Parcel Post shipments. In answer to some of the people who have sent mail, neither version of EAGLE.EXE will be available or uploaded to Homebase. The announcement that it would be made available to McAfee Associates was premature to say the least. I am not privy to why this decision was made. It would appear your ONLY source for a program which can detect either version of EAGLE.EXE is the above address. The latest version of SCAN from McAfee was tested again on both versions of EAGLE.EXE and was not able to detect a virus in either file. To those who already sent disks to SWE, I have been informed that every disk sent, (except for the ones without postage) is now on its way back to you, via US mail. SWE finished up the disks early this AM and all were deposited with the US mail service. If you desire to receive a free copy of EAGLSCAN, please be sure your formatted disk, return disk mailer and return postage (stamps ok) arrive at SWE, NO LATER than December 15th. SWE will be closing for the holidays December 18th, and will process all disks received as of 12/15. Thanks must be passed along to the two people in Washington and Kansas who sent the new versions of EAGLE.EXE for examination. That is about it for now. ------------------------------ Date: Sun, 26 Nov 89 10:56:21 -0500 From: Doug Sewell Subject: DIR EXEC on VM (VM/CMS) This was just posted on LSTSRV-L and several other groups - Doug - --- >Date: Sat, 25 Nov 89 19:15:31 EDT >Sender: Revised LISTSERV forum >From: "Juan M. Courcoul" >Subject: IMPORTANT WARNING: CHRISTMA workalike on the loose on the links > >This is an emergency warning. As such it has been sent to several important >lists; please excuse the multiple cross-posting. > >A dangerous REXX exec named DIR EXEC has been detected on our node, thanks >to a watchful recipient. This exec purports to be able produce a directory >listing of the user's disks in a MS/DOS (PC) format. > >However, when the exec is run, it will produce the promised listing BUT it >will also send a copy of itself to all net addresses found in the user's >NAMES and NETLOG files. > >This will, of course, swamp the BITNET network in a very short time if it >is allowed to run unchecked. Its behavior is, damagewise, identical to the >CHRISTMA EXEC which attacked both BITNET and VNET (IBM's corporate net) >approximately three years ago. > >All system operators, postmasters and people in charge: if you find the DIR >EXEC in your system's RDR queue, flush immediately. The copy we detected has >the following characteristics: > >FILENAME FILETYPE FM FORMAT LRECL RECS BLOCKS >DIR EXEC B1 V 116 167 1 > >The datestamp is not a reliable indicator; in two different copies found in >our RDR queue, the date was different. > >Also, please post warnings on your systems, alerting your users about this >problem. > >Thanks for your immediate attention to this urgent problem. > >Juan > >/-----------------------------------------------------------------------\ > Juan M. Courcoul | Phone: (835) 820-0000 Ext. 4151 > Postmaster / Listserv Coordinator | > Dept. of Academic Services | Net: POSTMAST@TECMTYVM.BITNET > Monterrey Campus | POSTMAST@TECMTYVM.mty.itesm.mx > Monterrey Institute of Technology | POSTMAST@TECMTYSB.BITNET > Monterrey, N. L., Mexico 64849 | POSTMAST@TECMTYSB.mty.itesm.mx >\-----------------------------------------------------------------------/ ------------------------------ Date: Sun, 26 Nov 89 15:08:58 -0500 From: Jon Allen Boone Subject: Re: Using Relay for real time conference (BITNET) I think using RELAY as a method of talking about viruses would be great. How about setting up a time? Like, say a weekly or bi-weekly meeting? that way everyone would be welcome, and such. Also, does anyone have any information on any books or papers written about viruses? You know, sort of like a beginner's guide to viruses. ------------------------------ Date: Sun, 26 Nov 89 12:45:28 -0800 From: Pseudo Dragon Subject: The DIR EXEC consequences... (VM/CMS) It seems to me that the latest DIR EXEC has become far more publicized than The author could have possibly hoped for. Due to the multiple-list posting, the warning message got bounced around sixteen times or so from Mail_system@VAX.OXFORD.AC.UK ... Thus jamming Bitnet far more effectively than the DIR EXEC ever could. Perhaps this was the desired effect the author wanted? ------------------------------------------ >From the desktop computer of: Charles Howes, USERQU0M@SFU.BITNET "Clothes make the man; Naked people have little or no influence in society." -- Mark Twain ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253