VIRUS-L Digest Friday, 10 Feb 1989 Volume 2 : Issue 43 Today's Topics: Problems with Toshiba Laptop - virus? (PC) Valentine's Day VTxxx trojan horse mail message 'ALERT'virus - short follow-up (Mac) Thanks & virus query (PC) Information Requested Apple 2 Elk virus --------------------------------------------------------------------------- Date: 8-FEB-1989 14:44:41 GMT From: Subject: Problems with Toshiba Laptop - virus? (PC) Dear Moderator: I am very new to your VIRUS-L mailing list, and still somewhat unfamiliar with viruses in general. Recently, however, I have noticed some peculiar behavior with my Toshiba 1200 Laptop computer. It seems to throw random "h"s on the screen from time to time. At first, fairly infrequently, and then increasingly more so. At this point it throws "h"s, backspaces, spaces so often it's as if it has a mind of its own. At present I am having the keyboard diagnosed at the dealer, but its behavior did not give me the feeling that it was actually a keyboard problem. Does any of this sound remotely familiar? Any help would be greatly appreciated. Thanks in advance, Bob Dooner London School of Economics (Dooner@uk.ac.lse.vax1) ------------------------------ Date: Thu, 9 Feb 89 17:54:00 EST Sender: Virus Alert List From: Gary Ansok Subject: Valentine's Day VTxxx trojan horse mail message The following was posted on our local bulletin board, so we're definitely getting into third- and fourth-hand information here. This is really just a Trojan Horse rather than a virus, but I thought I'd pass it along. - ------------------------ Folks, What I am about to relate was triggered by a second-hand rumor, but it reflects a very valid security concern and is something that we may wish to deal with immediately. The rumor is that a Valentine's Day message has been prepared that has the potential for causing lots of personal (and operational) havoc. Any user who reads this message, on a VAX system, using a standard DEC terminal, will have all of his files deleted. This little nastygram is rumored to also put a sweet message and heart on the screen while doing its dirty work. A nice touch. At the risk of being alarmist, I suggest that we immediately inform our users to be suspicious of any messages of unknown origin. Information is limited and we do not know if it will appear or how to recognize it if it does. If I get more information I'll send it along. - ------------------------- I have a few questions for anyone who knows VTxxx terminals: 1) Is it possible to do this on a VT1xx or VT2xx terminal? I know it is possible to cause the answerback message to be echoed, but I don't know of a command to load the answerback message from the host; it is possible to load a definition into a (shifted) function key, but that requires the user to press the key; I know of no command to echo the contents of the screen back to the host as input. 2) If it is possible, is there a setup option that will immunize the terminal from this particular disease? This sort of attack has been known for years, especially on forms-oriented terminals, but I had believed that my terminal (a VT220) was not subject to this particular vulnerability. Has anyone else heard about this? Has anyone actually SEEN this beast? If you notice it ahead of time, it should be simple to determine what it does and where it came from (unless it's self-perpetuating like the XMAS EXEC -- but there's no easy list of destinations on VAX/VMS). Gary Ansok or P.S. The lack of a way for this thing to hide its origins from anyone who is looking for it makes me wonder if it is real. But I'll be looking over my incoming mail extra carefully for a few weeks anyway. -- Gary ------------------------------ Date: Fri, 10 Feb 89 01:25:00 GMT Sender: Virus Alert List From: Danny Schwendener Subject: 'ALERT'virus - short follow-up (Mac) >PS: I (David Richardson) have never actually seen this, & I honestly hope >it is a hoax (like the "modem virus"), but it is too scary to ignore. I'm very afraid it isn't a hoax. I spent a good part of the afternoon trying to reach Thierry Delettre and the DTS of Apple France. I reached both of them. Below are some precisions. For those who want general info, check the posting made a few days ago. - - The virus adds 1344 bytes to the CODE ID=1 resource of an application - - it has been purposely written to attack applications from Apple Inc., and does this by checking if CODE ID=1 is named "Main". Other applications won't be infected. non-application files won't be touched by the virus. - - the code segment starts with the following byte sequence: 6000 0028 (this is BRA *+42 for those of you without sixteen fingers) and contains the four letters 'ANTI' (I think right after this first instruction, but I'm not sure - the line noise was terrible). Note that the CODE ID=1 resource also contains a 4-byte segment header, so check for the sequence in bytes 5-8. - - It loves MultiFinder. Seems to propagate faster through MultiFinder than through a standard Finder environment. - - Vaccine detects it only if the "Always Compile MPW INITs" is unchecked (could someone explain me why?) I should get a copy of the bugger by the end of next week, if the french postal service doesn't go on strike again. Expect a report soon. - -- Danny Schwendener ETH Macintosh Support, ETH-Zentrum, m/s PL, CH-8092 Zuerich, Switzerland UUCP: macman@ethz.uucp BITNET: macman@czheth5a.bitnet Internet: macman@ifi.ethz.ch AppleLink: macman%czheth5a.BITNET@DASNET# ------------------------------ Date: Thu, 9 Feb 1989 16:58 PAC From: Marty Zimmerman Subject: Thanks & virus query (PC) Thanks to all of you who responded to my question about (c) Brain. Your help is greatly appreciated. Now I have another question about an unidentified virus (?). This one turned up in a department on campus when they were checking their disks for (c) Brain. The symptoms are as follows: 1) A strangely altered boot track (on 360K floppies) that Nortons says is "not a boot track". The machine appears to boot normally, though. There are no messages that are obvious. One of our Systems people is currently disassembling it to find out what it does, but we do know that it sets aside about 10K of RAM for itself before loading DOS. 2) Alterations to the FORMAT.COM file, if it exists on the contaminated disk. The only obvious change is the prompt that asks the user to press ENTER to begin formatting. Now it says "Press <-' to begin". In other words, it tries to draw out the ENTER/RETURN symbol. Are we just getting paranoid, or does this sound familiar to anybody? None of the disks in this department showed any signs of (c) Brain infection. Thanks again for your comments. Marty Zimmerman Computer Services University of Idaho ------------------------------ Date: Thu, 09 Feb 89 20:24:13 CST From: James Ford Subject: Information Requested We are starting a Computer Post here, and one of the topics of discussion will be viruses/trojans. Does anyone have any suggestions? The average age of the students involved is 14-17 (8th grade - 12th grade). Due to this, a "detailed" technical representation is not necessary (and I probably wouldn't get it right, anyway..(grin)). Please respond directly to me. Thanks in advance, James P.S. If someone has already done this to a similar age group, I would like to here from them. Disclaimer: Hacking can be fatal to your files......... ------------------------------ From: The Heriot-Watt Info-Server Date: Fri, 10 Feb 89 10:32:14 GMT Subject: Apple 2 Elk virus Re: Bruce Howells request for information on the elk cloner virus for the Apple 2, I enclose a copy of an article from USENET posted by on April 26 1988, giving further details. Hope this is of some use. Here are descriptions of a virus and a nasty program header which run on the Apple II family. =============== The Elk Cloner V2.0 I found the Elk Cloner V2.0 #005 on a disk of mine in 1981 or 82. I'm fairly certain it could not have been written before the publication of Beneath Apple DOS, so I would date it around mid-1981... It works exclusively with DOS 3.3. THE VIRUS 1. It is installed by booting an infected disk. I'm not sure how it initially gains control; apparently it is loaded in with some trash from T0 SA which DOS loads for no apparent reason. (BTW, since HackerDOS rearranges DOS on the disk, the Cloner would trash it. It might trash master disks, I don't know.) If you use a modified DOS which marks T2 S3-8 as free for use (as HackerDOS does), it would overwrite any file stored there. A JMP $9B00 which was installed when the disk was infected jumps to this code (I think) and loads the virus from T2 S3-S8 into $9000-95FF. 2. Next, it inserts its claws into DOS: A. Hooks into the Do Command code at $A180 and makes every command reset the DOS parse state to 0. I have no idea why it does this. It has no obvious effects. B. Hooks into the RUN, LOAD, BLOAD, and CATALOG commands to make them check the disk accessed & infect it if necessary. C. Create a USR vector for the Cloner diagnostics: B=USR(10) Prints a cute poem: ELK CLONER: THE PROGRAM WITH A PERSONALITY IT WILL GET ON ALL YOUR DISKS IT WILL INFILTRATE YOUR CHIPS YES IT'S CLONER! IT WILL STICK TO YOU LIKE GLUE IT WILL MODIFY RAM TOO SEND IN THE CLONER! B=USR(11) Prints ELK CLONER V2.0 #005 (version check) B=USR(12) Read the disk & prints BOOT COUNT: (#) B=USR(13) Infects a disk 3. Increments the boot count 4. Checks for any special event for this boot: Boot # (hex) Effect A Point reset vector to $FF69 (monitor) F INVERSE 14 Click the speaker 19 FLASH 1E Switch letters at $B3A7-B3AA so filetypes T I A B will appear as I T B A 23 Change DOS signal character from ctrl-D to ctrl-E 28 Lockout the computer on reset (dangerous one!) 2D Run the current program on any keypress (locks out the machine, also dangerous. BTW, this is done by setting the hibit of $00D6.) 32 Print above poem on reset 37, 3C, 46 Screw with the INIT code. I think it will give you an I/O ERROR, but I haven't tried. 3C and 46 might be dangerous in that it might not init a whole disk. I don't know. 41 'Crash' to monitor on every DOS command 4B Reboot 4C Reboot 4D Reboot 4E Reboot 4F Write 0 to the boot count & start all over again! 5. Sits back & infects disks. This is how the program is structured: 9000 Version number 9001-9073 Setup 9074-908F [Check a disk for infection] code 9090-90D9 Replacement code for LOAD, BLOAD, & CATALOG 90DA-9178 [Infect] code 9179 Read VTOC 9181 Write VTOC 91A8 Print routine 91E4 Serial # 91E5 Marked with a 0/1 if a disk is infected/uninfected 91EC-9243 Diagnostics 9244-9328 Poem 9343-9435 Special events by boot count 9500-9532 Code which loads Cloner on boot 95E1-95FF ASCII: MATT BEJOHN HINKLYJOHN HINKLE (The author's hero?) These are within the VTOC: B3BE Zeroed, I don't know why B3BF Boot count B3C0 Zeroed, don't know why B3C2 Infection mark: Version number (=(9000)) There may be several versions out. The version number would be used so later versions would write over older versions, for a new improved infection. THE TEST Any of these methods will work: 1. Check T$11 S0 Byte 7. If it is non-zero, the disk might be infected. 2. Check T1 S0 B$80-82. If they are 4C 00 9B, you have the Cloner. 3. Check T2 S3 - T2 S8 for the Cloner. 4. From Applesoft, immediately after boot, enter B=USR(11). THE VACCINE If you write a 2 to T$11 S0 Byte 7, Cloner version 2 will not infect that disk. I have verified this. THE CURE Write something (like 00:1 AD 88 C0 4C 59 FF) to sector 0 so you can't boot that disk. PRECAUTIONS The Cloner will not work unless you boot an infected disk. It cannot infect a write-protected disk. I have infected disks I use all the time. Just mark them as infected & don't boot them. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253