VIRUS-L Digest Wednesday, 3 Jan 1990 Volume 3 : Issue 3 Today's Topics: Viruses in Public Labs (Mac) gatekeeper (Mac) re: Virus Trends Virus data collection (forwarded) review of The Cuckoo's Egg Re: Spafford's Theorems Two serious cases (PC) Gatekeeper Aid Question (Mac) SCANV54 (PC) Re: WDEF / Apology to Mainstay Software (Mac) Disinfecting Binhexed Files (mac) New viruses (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 29 Dec 89 17:38:00 -0500 From: AC08@vaxb.acs.unt.edu Subject: Viruses in Public Labs (Mac) I work in a computer lab at the University of North Texas, and we have had a *lot* of experience with Mac virus problems. The lab is a public access facility, and anyone in the University can use the Macs (Mac II, color, 2 meg ram, 40 meg HD). We have a very diverse collection of people who wander through, and most of them want to use their own software. Some observations: WDEF has *not* made it here yet... Almost every other kind has. I think I have the current record for most diversity in one machine: SCORES NVIRa NVIRb INIT 29 It crashed, and the user wanted to know what was wrong...... INIT 29 can cause a System death all by itself. We have been running Disenfectant for several months, and it works great. I noticed that one machine that was "clean" after Disinfectant 1.3 had a "partially infected" System and Finder when checked with 1.5. Another problem was that we run all eight Macs off of an IBM file server under Netware, and that Netware allows infections to be written in by a program (though it won't cross-infect on the server itself). Gatekeeper does not like Ethernet boards... :( Is anyone running or working on a "pre-emptive" anti-virus product like SAM or Gatekeeper that will work well with Netware and Ethernet? Please let me know (if possible). Thanks, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Chad Irby > "Bill?" > >Somewhere in... > "What?" > >Denton, TX > "Strange things are afoot > >ac08@vaxb.acs.unt.edu > at the Circle K." > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ Date: Tue, 02 Jan 90 15:45:51 +0000 From: phantom@athena.mit.edu (Mike Garrison) Subject: gatekeeper (Mac) as a new reader I have what is probably an oft repeated question: is there an address to send to for info on gatekeeper, first aid, etc.... I would like to know how to order/obtain some of this software. ------------------------------ Date: Tue, 02 Jan 90 11:54:19 -0500 From: ches@research.att.com Subject: re: Virus Trends > 2. The press speculation about the DATACRIME virus was much more > damaging than the virus. I don't think so. True, the general public was alarmed out of proportion to the threat. But I suspect the press coverage encouraged a lot of people to back up machines that hadn't been backed up. This is good because > 1. The amount of damage to data and availability done by viruses to date > has been less than users do to themselves by error every day. is undoubtedly true, and those crashed hard disks have to be reloaded from someplace. Bill Cheswick ches@research.att.com ------------------------------ Date: Tue, 02 Jan 90 00:00:00 +0000 From: "Dean E. Nelson" Subject: Virus data collection There has been some discussion in past digests about similarities between biological and computer viruses. I guess that is where the name came from. There is one big difference, however. Biological viruses have been around for much longer. This fact, in itself, is not very useful, but because they have been around longer, there is a much longer history of human response to them. The initial human response to viruses was not scientific. People got ill and suffered. They would blame themselves, family members, or perhaps the stars for their mallady. Often they would seek divine (or supernatural) intervention. I'm sure we can all think of users who consider the action of their computers magic and viral attacks within the same realm. As science increased our understanding of the human body, viral infections became better understood. The medical profession became more and more able to combat viral infection and even impute immunity before an attack. This was possible because of an understanding of the causal chains associated with viruses. By the very nature of computer viruses (they are programs), the causal chains associated with them can be made much clearer in a much shorter period of time than with biological viruses. Therefore, the research done to understand the computer virus is much faster and more complete than with its biological counterpart. The resulting interventions are also more complete and failsafe than their biological counterparts. Given all that, perhaps there are still techniques used to combat biological viruses that haven't been used with computer viruses. After all, we have been at that much longer and against a more insidious foe. After some thought, I can only think of things that rely on data analysis. Given the data, we could determine which prevention techniques were most effective, and we could better understand the effects of different interventions and the factors which aid or inhibit spread of the infection. I agree with Mr. McMahon (vol 3. issue 1) that data collection is a good first step (in trying to minimize the *effect* of viruses) . I also believe that Mr. Murray (same issue) makes a useful analogy when he refers to the study of virus spread as an Epidemiological pursuit. The preceding paragraphs were written to make that very same point. Dean Nelson, Lehigh University Computing Center DEN0@vax1.cc.lehigh.edu DEN0@lehigh.bitnet (215)258-4988 ------------------------------ Date: Tue, 02 Jan 90 14:28:05 -0500 From: Kenneth R. van Wyk Subject: (forwarded) review of The Cuckoo's Egg Forwarded (with the author's permission) from misc.security: Date: 8 Dec 89 22:22:52 GMT From: ecl@mtgzy.att.com (Evelyn C Leeper) Subject: THE CUCKOO'S EGG by Clifford Stoll THE CUCKOO'S EGG by Clifford Stoll Doubleday, 1989, ISBN 0-385-24946-2, $19.95. A book review by Evelyn C. Leeper If you're wondering what to get that computer-addict friend of yours for Hannukah, or she's wondering what to get you, try Clifford Stoll's book about tracking a West German spy through the UNIX* computer networks. When I got the book I decided to take a look at the first couple of chapters just to see how it was, and found myself so hooked that I sat down and read it straight through in one evening. Now perhaps I'm somewhat predisposed to this topic, being associated with security in a professional capacity. And since I am a science fiction reader, the whole cyberpunk movement (or non-movement) has made me even more aware of the possibilities for this sort of activity. So I can't say that you should run out and buy this book for your Uncle Fred, who has yet to figure out how to make the clock stop blinking on his VCR. But if you're at all interested in the topic and somewhat knowledgeable about computers, or willing to learn, you should have no trouble following the events described in the book. The groundwork and basic terminology are laid out and explained. In science fiction, this is usually accomplished by having the girlfriend of the hero ask, "Gee, Fred, what is a computer anyway?" but Stoll is able to avoid this, in part because he was not originally a computer scientist and often needed terms and procedures clarified for himself. In addition to having a fast-moving, hi-tech spy plot (is Stoll the Tom Clancy of the computer set?), the book provides some insight into how security REALLY works. For those who worry about how much the government is watching what they do, the truth will come as a great relief: it's next to impossible to get the government to care about anything that goes on in and around computers unless you can hit them over the end with the equivalent of a ten-ton weight, and even then they may merely blink momentarily. And while most of the time, that pesky 75-cent accounting error isn't worth tracking down, every once in a while you can hit the jackpot. A nice by-product of all this is that the book would not be a bad supplemental text for a computer security course. (Well, a nice by-product for Stoll, anyway.) One of the problems with the standard UNIX system security texts is that they tell you how to make your system secure, but don't tell you want to do when you somehow find yourself with a system insecure enough that someone has broken in. THE CUCKOO'S EGG shows you some "tricks of the trade" that aren't spelled out elsewhere. I find myself wishing that all our computer users would read this book so they'd stop asking why they need passwords or why permissions can't be freed up. (I occasionally describe the latter phenomenon by claiming that many users think that "0777" is the only possible first argument for CHMOD.) The book closes with a epilogue recounting the Great Internet Virus of November 1988. (With my usual excellent planning I was 8000 miles away when it all hit the fan and heard about it only in retrospect.) While some may question its place here--the virus, so far as anyone knows, had nothing to do with the West German hacker--I think the epilogue may teach the most important lesson of the book: your systems are never perfectly secure. There will always be one more hole, one more back-door, one more weak point. To paraphrase John Philpot Curran, "The condition upon which [one has secure systems] is eternal vigilance." And while more technical descriptions of the virus are available "in the literature" (as they say), this is a good explanation for the wider audience of this book. Some have said the book should be edited down, but I don't think the personal asides (including the infamous chocolate-chip cookie recipe everyone is talking about!) hurt the book, and they go a long way toward filling in a picture of what Stoll is like. (Actually, I saw him being interviewed on C-SPAN, and as quirky as he is in the book, he's three times more so on screen.) [Note: a more concise, and somewhat more technically oriented, of this saga may be found in Stoll's article "Stalking the Wily Hacker" in the May 1988 COMMUNICATIONS OF THE ACM. * UNIX is a registered trademark of AT&T. Evelyn C. Leeper | +1 201-957-2070 | att!mtgzy!ecl or ecl@mtgzy.att.com Disclaimer: This review is solely my opinion and the opinions expressed therein should not be attributed to my employer (or anyone else, for that matter). ------------------------------ Date: Tue, 02 Jan 90 11:02:44 -0500 From: Brian Piersel Subject: Re: Spafford's Theorems On Fri, 22 Dec 89 12:28:00 -0500 said: >6. The current vector for viruses is floppy disks and diskettes, not >programs. That is to say, it is the media, rather than the programs, >that are moving and being shared. What about infected programs uploaded to a BBS? If someone else downloads that program and uses it, their system will be infected with the same virus. In this case, the media has _not_ moved, which would indicate that programs are also a vector for viruses. Of course, in some cases, such as viruses that infect boot sectors, etc., the disk itself must be shared, but in others, it is only the program that must move. +----------------------------------------------+ | Brian Piersel | +----------------------------------------------+ | BITNET: SPBK09@SDNET | | INTERNET: SPBK09%SDNET.BITNET@VM1.NoDak.EDU | +----------------------------------------------+ | IBM = Itty Bitty Machine | +----------------------------------------------+ ------------------------------ Date: Wed, 27 Dec 89 12:47:52 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Two serious cases (PC) Most virus researchers exchange/distribute viruses only on a strict need-to-know basis, in order to limit the spread of viruses. However, this does not work as well as intended. There are now two known cases where untrustworthy people seem to have obtained viruses from researchers. Case #1: Icelandic-1/Saratoga I discovered the Icelandic-1 virus here in Iceland in June this year. When I had disassembled it, I sent a disassembly of an infected file to several experts in the USA, UK and Israel, including the HomeBase folks (McAfee). Before I sent out the disassembly, I made one small change to it. This change had no effect on the operation of the virus, but it would make it possible to determine if a copy of this virus found outside of Iceland was based on my disassembly or not. Looking back, I can see that this was not a very good idea, simply because there was a possibility that somebody might select an invalid identification string, based on this disassembly. So, those of you having a copy of my disassembly, please contact me if you want to correct it. This change was also (by accident) included in the Icelandic-2 disassembly, since I used the Icelandic-1 disassembly as a basis for that. Now - back to the Icelandic-1 virus. Three days after the virus was made available on the HomeBase bulletin board, in a restricted area that only a few people had access to, a new virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some people thought for a while that Saratoga was an older variant of Icelandic-1, because it was at first said to have been found "a few months earlier", but this turned out to be a misunderstanding. Saratoga was just a minor variant of Icelandic-1, but the change I made was present in the virus, so it was obviously based on my disassembly. When Saratoga was found, I had only sent Icelandic-1 to three or four persons in the US - and, as far a I know, it had only been made available to other persons in one place (HomeBase). They believe that the person responsible for the creating "Saratoga" has now been found, and his access to the restricted area has been terminated. Case #2: Dbase The dBase virus was discovered by Ross Greenberg. It seems to have been planted at only a single site, because no other reports appeared for several months. Recently Ross made the virus available to a number of virus researchers. Within two weeks the first infection reports had started to arrive - the virus had escaped. We know that at least some of the reported infections were based on the copy from Ross, because he made one small change to the virus, before it was distributed. One instruction was overwritten by two "harmless" instructions, in order to disable the most harmful effect of the virus - the disk trashing part. This change is also present in some of the infected files that have been found recently. (In other cases the original instruction is present) As I said before, I do not consider it a very good idea to make changes to viruses, but it paid off in the two cases described above. Who knows how many other cases of virus infections are (indirectly) the result of virus collection/distribution by virus experts. At least it is certain that we have to be a lot more careful in the future. - -frisk ------------------------------ Date: 02 Jan 90 21:04:29 +0000 From: sean@eleazar.dartmouth.edu (Sean P. Nolan) Subject: Gatekeeper Aid Question (Mac) Hi ho... I hope this hasn't been asked already --- I've been gone for the holidays and just discovered the problem. I read about WDEF A and B, and checked my system with Disinfectant 1.5. No virus of any type found. Since I use Gatekeeper, I then decided to drop the Gatekeeper Aid INIT into my system folder. Again, ok. Until, just yesterday, when I tried to Get Info on the Finder. Click on the Finder, Get Info, and zap. Cursor freezes, various ugly noises, etc etc. and then a reboot. I have a billion INITs running, but narrowed it down to Gatekeeper Aid by pulling things in and out of the system folder and rebooting. The problem seems only to happen with the Finder, i.e. I can get info on any other file, and I haven't found any other problems. Still, it's a little disconcerting, so I thought I'd drop a note and see if people know about the quirk, and if there's a fix. Thanks! - --- Sean SE/20 with internal 20 meg and external Microtech Nova 40. System 6.0.3 4 Megs RAM Gatekeeper Aid GateKeeper 1.1.1 Adobe Type Manager Moire 3.0 Soundmaster 1.2 Remember 1.3 TappyType Programmer's Key Safe Eject KSP (Dartmouth-specific comm. protocal INIT) MacroMaker Easy Access AppleShare Broadcast Public Folder 1.0 Shield INIT (from SUM) ( I know that's a million of them, but I honestly have checked them all and Gatekeeper Aid is the problem... I still have the problem even running only GK Aid and GK.) +----------------------------------------------------------------------------+ | Sean P. Nolan | Net: Sean_Nolan@Mac.Dartmouth.EDU | "Let's face it: | | Dartmouth College | | IBM is no fun." | | Hinman Box 2658 | SCALP 'EM! | :::::::::: | | Hanover, NH 03755 | | John C. Dvorak | +----------------------------------------------------------------------------+ ------------------------------ Date: Tue, 02 Jan 90 16:04:08 -0800 From: Alan_J_Roberts@cup.portal.com Subject: SCANV54 (PC) ViruScan versions V53 and V54 have been released in rapid succession. V53 contains a bug which causes false positives for the 4096 virus on some systems and V54 fixes the bug. Both versions now detect the 4096, Oropax, Chaos and Virus-90, bringing the total number of known and detected PC viruses to 60. Let's hope this explosion in the number of new viruses slows down this year. V54 is available now on HomeBase - 408 988 4004. Alan ------------------------------ Date: Wed, 03 Jan 90 06:10:35 +0000 From: biar!trebor@uunet.uu.net (Robert J Woodhead) Subject: Re: WDEF / Apology to Mainstay Software (Mac) jln@acns.nwu.edu writes: > 1st Aid Software deserves a great deal of credit for having the only > virus prevention tool that was capable of catching WDEF. Everybody > else failed, including Symantec's SAM, HJC's Virex, Gatekeeper, and > Vaccine. I don't know about MainStay's AntiToxin - I don't have a > copy of that either (yet). Not _quite_ true, John. The VIREX "Record/Scan" operation has been scanning for WDEFs et all since it was added. The problem is that it takes longer than a normal scan, so most VIREX users don't bother with it. A Pity. It and the 1st Aid tool are really good at pointing out wierdnesses. - -- Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: Wed, 03 Jan 90 05:55:47 -0500 From: Thomas Neudecker Subject: Disinfecting Binhexed Files (mac) I am trying to maintain a local Macintosh bboard [The Pittsburgh Apple Business Users Group, (412) 828-8011]. The vast majority of the files posted to the bboard have been Binhexed and or Stuffit. Time does not allow me to test each of the uploads submitted for posting on the board. But I donUt want to pass any viruses to those who download files from my board. I suspect that virus detection utilities will just consider these files to be clean ASCII documents. So running Disinfectant to check and clean the bboards inbox is useless. Does anyone know of a tool that will read the files creator type and if it is Binhex or Stuffit do the translation on the fly, disinfect, and restore the file type? A version for both the Macintosh OS and UNIX would help slow the spread of viruses via bboards. Tom Neudecker Carnegie Mellon University TN07+@Andrew.CMU ------------------------------ Date: Wed, 03 Jan 90 10:54:39 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: New viruses (PC) Several new PC viruses have appeared recently. This short note contains a preliminary description of some of them, including the new viruses in the package from Poland. I have updated my anti-virus programs to detect, stop and remove the viruses listed below (as well as the other 40 PC viruses known), and unless somebody sends me a new virus today, I will start sending the programs out tomorrow or the day after that. The Amstrad virus. This virus is rather interesting. It is a direct-action virus, that will add 847 bytes to the front of any .COM file it finds in the current directory. The virus is very primitive, because the virus code is only around 334 bytes long, which makes this the shortest PC virus known today. The rest contains zeros and the string: "Hello, John Mcafee,please uprade me.Bests regards,Jean Luz." One note: I feel the name "Amstrad" is totally inappropriate, since the virus seems to have nothing to do with Amstrad computers whatsoever. The Payday virus This is not a new virus, just a YAVJV (Yet Another Variant of the Jerusalem Virus). It seems to be very close (or perhaps identical) to Jerusalem-B. Musician One of the viruses from Poland. As reported earlier, it is the same virus as the "Oropax" virus reported several months ago in W-Germany. Perfume (alias 765 or "4711") A .COM infecting virus of German origin, that will sometimes ask the user a question and not run the infected file unless the answer is "4711", which is the name of a perfume. This virus will look for COMMAND.COM and infect it unless it is already infected. Infected files grow by 765 bytes. In the most common variant of the virus, the questions have been overwritten with garbage. W13 This is a rather primitive .COM infecting virus. Two variants are known, the first one is 534 bytes long, but the second (with some bugs corrected) is only 507 bytes long. The virus is of the "Direct Action" type does nothing interesting. Vcomm An .EXE infecting virus that came from Poland. It is not very well written, but easy to study, since the commented source code was included. When an infected program is run, it will infect one .EXE file in the current directory. Infected programs are first padded so their length becomes a multiple of 512 bytes. Then the virus adds 637 bytes to the end of the file. It will also install a resident part that will intercept any disk write and change it into a disk read. December 24th An Icelandic variant of the Icelandic-2 virus. It will infect one out of every ten .EXE files run. Infected files grow by 848-863 bytes. If an infected file is run on December 24th it will stop any other program run later, displaying the message "Gledileg jol" ("Merry Christmas") instead. The virus also contains a number of minor changes and extra NOP instructions. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253