VIRUS-L Digest Wednesday, 7 Feb 1990 Volume 3 : Issue 32 Today's Topics: Checksums Are virus sources public domain software ? More about the 1260 virus (PC) re: Universal virus detectors: Once more with feeling Yankee Doodle Virus (PC) Re: The 4096 virus (PC) The V2000 virus (PC) EDV Virus (New) (PC) RE: AIDS... (Mac) Killer Virus Re: Universal Virus Scanner VACSINA - the name (PC) Identification strings New Trojans (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Sun, 04 Feb 90 13:56:00 -0500 From: IA88000 Subject: Checksums This is an open question to anyone on the list who would care to answer. If you had your choice, which checksum routine would you consider most secure, and why. If you do not want to reply on the list but would rather reply by email, that's okay. To make the question a little more specific, of the checksum routines available today, which would you select. ------------------------------ Date: Mon, 05 Feb 90 10:31:39 +0000 From: ZDEE699@ELM.CC.KCL.AC.UK Subject: Are virus sources public domain software ? In VIRUS-L, V3-I29, Todd Hooper () writes: > What possible technique could you use > to make it illegal 'illegal to own or transmit virus code '? " Well, how about some reliable organisation (the CERT, for example) registering the source code under copyright laws ? Is virus code considered as public domain software ? I wouldn't think so ! If the source was copyright, then anyone having an unauthorized copy of it would be in illegality. In fact, one might even say that the virus itself is illegal on the grounds that it copies itself without authorization. Anybody who feel they *NEED* to keep the source in their possession should then also register or ask for authorization from the organisation holding the copyright. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng | On this computer, | |Electrical & Electronic Eng, King's College London, UK | a flame-proof | |BITNET : | shield, is an | |INTERNET: | expensive gadget... | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Mon, 05 Feb 90 12:19:47 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: More about the 1260 virus (PC) David Chess has just informed me of an interesting fact I missed in my earlier note dealing with the 1260 virus. If the encryption module is removed, what is left is just a variant of the old and well-known "Vienna" virus. This variant is clearly derived from the version published in "Computer Viruses: A high-tech disease". The book is then responsible for three viruses, because Lisbon and GhostBalls were also based on that disassembly. I have now disassembled the virus and a detailed description of it will appear in the March issue of the Virus Bulletin. My F-PROT package has been modified, and now it can detect and disinfect "1260" and other viruses that use encryption methods with permutations of the decoding instructions. This new version (1.08) will be uploaded to SIMTEL tomorrow. The bugs found in 1.07 have also been fixed: One program (F-OSCHK) contained a message in Icelandic, and another (F-DLOCK) interfered with CHKDSK and some other programs. Those of you who have asked me for a copy of F-PROT and not yet received a reply - I will send you a copy of version 1.08 - sorry about the delay. Version 1.08 will also contain code to identify and remove the "new" Bulgarian viruses. - ------------------------------------------------------------------------------ frisk - Fridrik Skulason University of Iceland, Computing Services. Technical Editor, Virus Bulletin. ------------------------------ Date: 05 Feb 90 00:00:00 +0000 From: "David.M..Chess" Subject: re: Universal virus detectors: Once more with feeling > David Chess continues, in essense, to complain about the user > interface. Not at all! I'm saying that, no matter *what* the user interface looks like, a system that relies on a human to decide whether or not a timestamp-change is legitimate is no more a "universal virus detector" than a program that relies on the user to type in the answers is a "universal problem solver". Jerry's point that most machines are not used for program development is well-taken. But the machines which -are- used for program development are the ones where a virus could do the most damage (if I buy a program that was infected with a virus "at the factory", the fact that it can't spread any more on my machine isn't all that much comfort). It's also important to remember that "program development" has to include writing BAT and CMD files, tailoring HyperCard cards, and anything else which can effect, in a general-purpose way, how the machine acts; taking that into account, many machines are used for program development, and the proportion that are is likely to grow rapidly as "programming" becomes easier. It also becomes less clear that an "is executable" bit is useable. Would a Basic program be marked as executable? Would a shell script? DC ------------------------------ Date: Mon, 05 Feb 90 10:09:36 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Yankee Doodle Virus (PC) This is a forward from John McAfee: ================================================================= O. Fadel points out that Clean-Up overwrites files infected with the Yankee Doodle virus and then deletes them rather than removing the virus and repairing the program. This is pointed out clearly in the documentation. Clean-Up V57 currently repairs infections from 17 of the most common viruses (Yankee Doodle is by no means a common virus - at least based on our reporting statistics) and will identify and overwrite the remainder. Each version of Clean-Up will add more viruses to the list that we can repair - the remainder we will still identify and overwrite. Our priorities for inclusion in the "repair" list are based on the frequency of virus reports. We hope to have all viruses included in the repair list by May 15. Yankee Doodle is Scheduled for mid- April. Mr. Fadel asks why the Clean-Up delete function for less common viruses is any better than the DOS delete function and why anyone would bother to include it. The answer is that the DOS delete function, to the best of my memory, cannot search and identify an infected file. Neither does it do an overwrite. (We overwrite with C3H - the return function - so that a careless undelete will never return the virus to your system). If Yankee Doodle is indeed a larger problem than we thought, then we can re-arrange its priority and move it from the delete list to the repair list for the next version. I welcome suggestions. John McAfee 408 988 3832 (Voice) 408 988 4004 (BBS) 408 970 9727 (FAX) ------------------------------ Date: 05 Feb 90 20:32:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: Re: The 4096 virus (PC) In issue #27 John McAfee (Alan_J_Roberts@cup.portal.com) writes: > The virus is memory resident and infects COMMAND.COM, EXE >files and COM files. The virus initially places the machine in >single-step mode and then issues an interrupt 21, sub-function 52 to >determine the real address of the interrupt 21 code within DOS. >Thereafter, it issues a long jump to that location to avoid any >interrupt trapping antivirals that may be resident. Thus the >infection process, after the virus becomes resident, is transparent. > The strangest part of the virus is that it is also able to >trap all other disk reads and writes, and whenever an infected file is >accessed by any program, the virus performs a disinfection of the >program on the fly. Thus checksumming techniques, file length checks, >and other file modification detectors cannot perceive the infection on >the disk. Even searching the disk for the specific virus code will >fail, since the code is removed from the file during the read request. I was sure that somewhen someone of the virus writers out there would have the same idea! The latest versions of the Bulgarian TP viruses perform exactly in the same way! (The 4096 virus however is not known in Bulgaria.) I purposely didn't discuss in deep these techniques but I see now that this was useless --- someone had already reinvented them. Too sad... By the way, I have some general questions about viruses: (1). Which of the known viruses will run under OS/2? I mean exactly OS/2, not its DOS 3.3 compatibility box. (2). Does anybody know something about a VAX/VMS virus which, when activated, slows down the data exchange with the terminals (something about 3 bps)? There were some rumors about such virus in Bulgaria, but I've never seen a working copy. ------------------------------ Date: 02 Feb 90 10:49:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: The V2000 virus (PC) The V2000 Virus --------------- This virus is also "made in Bulgaria" and again I am indirectly the cause of its creation. I am a well known "virus-buster" in Bulgaria and my antivirus programs are very widely used. Of course, virus designers didn't like it. So their next creation... causes trouble to my antivirus programs. This virus is exactly 2000 bytes long and I think that it was created by the author of the Eddie (Dark Avenger) virus. The programming style is the same and there are even pieces of code which are the same. The virus acts much like the Eddie one --- it installs resident in memory by manipulating the memory control blocks; infects COMMAND.COM at the first run; infects both .COM- and .EXE-files; infects files when one executes them as well as when one copies them. However, there are some extras added. First, the virus is able to fetch the original INT 13h vector just like the V512 one (by using the same undocumented function --- tricks spread fast between virus programmers). Second, it intercepts the find-first (FCB) and find-next (FCB) functions --- just like V651 (and contains the same bugs), so you won't see the increased file lengths in the listing displayed by the DIR command. Third, it contains the string "Copyright (C) 1989 by Vesselin Bontchev", so people may think that I am the author of this virus. In fact, the virus searches every program being executed for this string (the case of the letters does not matter) and if found, hangs the system. It is not necessary to tell you that all my antivirus programs contain this string. Of course, now I will have to use some kind of encryption, just to prevent such tricks. Sincerely, Vesselin ------------------------------ Date: Mon, 05 Feb 90 15:19:09 -0800 From: Alan_J_Roberts@cup.portal.com Subject: EDV Virus (New) (PC) This is a forward from John McAfee: ================================================================= Dave Chess sent us another new virus that uses "creative" techniques to avoid detection from scanning type programs. Dave calls it the EDV virus. The virus infects boot sectors of floppy diskettes and the partition table (master boot record) of hard disks -- similar to the stoned virus. It saves the original boot sector and if any program attempts to read the boot sector, the virus intercepts the read and retrieves the original boot sector instead. Thus the system will appear normal even if infected. This technique is not new. The Pakistani Brain was the first virus to use this avoidance technique. What is new about this virus is that it also avoids detection from a memory scan. The virus accomplishes this feat by intercepting the clock tic and at each tic the virus interrogates ES and DS to determine if anyone is looking at the virus code. If someone is looking, the virus hangs the system. All these new detection avoidance techniques can of course be circumvented. They do require development time, however, and are becoming a nuisance. We have opted in SCAN not to block the timer interrupt (the obvious bypass to circumvent this virus) due to potential problems with time dependent background code. Instead, we've chosen to outrun the virus using our own "creative" memory scan. Seems to work so far and will be included in V58 of SCAN - - due out Feb 15th -- if beta testing goes well. John McAfee ................... ------------------------------ Date: Mon, 05 Feb 90 20:50:21 -0500 From: woodb!scsmo1!don@cs.UMD.EDU Subject: RE: AIDS... (Mac) I don't think that I have seen this question but... Did the AIDS virus really contain ANY information on AIDS or any REAL non-virus program? - -- DON INGLI-United States Department of Agriculture - Soil Conservation Service INTERNET: scsmo1!don@uunet.uu.net PHONEnet: 314!875!5344 UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don These are my opinions. I represent myself. Who do you think you are, Bjorn Nitmo? David Letterman '90 Catch Phrase ------------------------------ Date: 05 Feb 90 21:07:52 +0000 From: sdjr@amdcad.AMD.COM (James Reeves) Subject: Killer Virus I have just finished disassembling a virus that was found in our company that is called KILLER DISK by Computer OGRE. If anyone has been infected by this virus drop me a line. I have written a program that will detect and remove the virus from any floppy or hard disk. In addition I have extracted the algorithm neccessary to undo the damage if the virus attacks the hard disk. The virus takes about 48 hours of computer use before attacking. In the mean time it transfers itself to ANY floppy that is read or written from the infected machine. If anyone has any comments or questions please let me know. Thanks James Reeves ------------------------------ Date: 06 Feb 90 09:31:28 +0000 From: d88-cwe@nada.kth.se (Christian Wettergren) Subject: Re: Universal Virus Scanner I think that the discussion about an Universal Virus Scanner is very intresting but is it even possible to conclude that a program doesn't modify itself? What I mean is that I don't think that you could create a program that could say YES, this program modifies itself, or NO, this program doesn't modify itself. That depends of course of what microprocessor you use. On an ordinary 8086 you couldn't, I think. Imagine this; The program has an instruction that contains a reference to it's own code- adress. ( MOV CS:0199h, XXXX ) OK, then don't tolerate that. But what if it calculates it from a formula? ( MOV CS:[BX], XXXX ) Then don't tolerate a reference that uses a CS-prefix. But the same adress is reachable from perhaps some Data Segment. ( MOV DS:1238h, XXXX ) OK, then don't tolerate direct references to the code through a Data Segment But what if it is calculated through a formula? ........ ( MOV DS:[BX], XXXX ) Then don't tolerate writes at all.... 8-) Of course some micros could prohibit this behavior by some sort of MMU-scheme, but I think that at least 8086 and 68000 (not so sure there, though) couldn't contain an algorithm that could determine if the program was self-modifying or not. (Of course it could contain it, but it would have to be simulating the micro itself, and hence has the same problem there, etc) Christian Wettergren d88-cwe@nada.kth.se Royal Institute of Technology, Stockholm, Sweden ------------------------------ Date: Tue, 06 Feb 90 10:20:11 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: VACSINA - the name (PC) Some time ago there was a bit of discussion here on Virus-L, regarding the virus name VACSINA. According to Vesselin Bontchev - the Bulgarian virus researcher, there is a logical explanation for the name - which is the Bulgarian word for "vaccine". VACSINA is the logical name of a device-driver virus-protection program, written by the same person as wrote the virus. Since the virus communicates with this program, the string VACSINA appears in the virus. The full decription of the "VACSINA" virus (as well as the other 30-50 Bulgarian virus variants) will probably be posted by Vassilian soon. - ------------------------------------------------------------------------------ frisk - Fridrik Skulason - University of Iceland, Computing Services Technical Editor, Virus Bulletin ------------------------------ Date: Tue, 06 Feb 90 10:47:37 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Identification strings I have been comparing a few little-known virus-detection programs recently. There is a problem with some of the less well known programs, namely that they may appear as infected to some of the other anti-virus programs. The reason is that they sometimes store a virus identification string in unmodified form, and in the case of the shorter viruses, two programs may have picked the same identification string, which may cause them to appear as infected to one another. So - you anti-virus writers out there: Please store identification strings encrypted, reversed or somehow modified. Another subject - there is some confusion regarding the terms "identification string" vs. "signature strings". How about: Identification string: A sequence of bytes, used by anti-virus programs to check if a program is infected. Signature string: A sequence of bytes, used by the virus to check if a program is infected. Comments ? Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin. ------------------------------ Date: 06 Feb 90 08:56:00 -0500 From: "WARTHMAN" Subject: New Trojans (Mac) Peter Johnston posted information about two strains of a new trojan which can damage the Macintosh file system. One strain exists in a program called "Mosaic" and the other in a program called "FontFinder". I'd like to know if anyone else has had experience with these two trojans, and which of the existing commercial and public domain anti-virus tools can detect/prevent them from doing their damage. Since the "FontFinder" trojan has a trigger date of 10 Feb, it's important that we quickly publicize this trojan's effects and countermeasures. Thanks in advance. --- Jim Warthman ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253