VIRUS-L Digest Friday, 9 Feb 1990 Volume 3 : Issue 36 Today's Topics: WDEF at James Madison University (Mac) F-PROT for the PC: Is it any good? RE: Copyrighting virus code Re: Mac Virus Harmlessness Re: Idea for WDEF Innoculation (Mac) Re: Disinfectant 1.6 (Mac) WDEF A hit, report & discussion (Mac) Info on Stoned/Marijuana virus Re: Mac Virus Harmlessness Virus Bulletin VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 08 Feb 90 13:45:00 -0500 From: Subject: WDEF at James Madison University (Mac) Hello to all! For those tracking WDEF, it has made it to the Shenandoah Valley. Here at JMU, we have found WDEF in all of our Mac labs and quite a few of the administrative offices that have Macs. Currently, we are using Virex 2.3 and Disinfectant 1.5 to remove infections as they are found. We are concerned about reinfections, however, and would appreciate any and all suggestions. Also, would someone please clear up the confusion about Disinfectant 1.6? [Ed. See message below.] Thanx, John Bowers Academic Computing Services James Madison University Bitnet: ACS_JOHN@JMUVAX1 ------------------------------ Date: 08 Feb 90 20:19:39 +0000 From: evans-ron@YALE.EDU (Ron Warren Evans) Subject: F-PROT for the PC: Is it any good? I'm a user consultant at Brandeis University. Somehow the responsibility for learning about and killing viruses for both the Mac and the PC has fallen to me. I am in the process of making a recommendation for antiviral packages for the PC. For a while it seemed that there was no package that provided really adequate protection: Flu_Shot+ would only protect against infection, but could not identify an attacking virus or disinfect a disk, and Viruscan could only identify viruses, not protect against them or disinfect. Recently, though, I downloaded a package from Simtel20 called F-PROT. If the documentation is to be believed, it protects against and identifies viruses and disinfects disks as well. Moreover, it is cheaper than either of the other packages. I would like to recommend this package to my supervisor, since if F-PROT works, it will make my job a lot easier. My supervisor, however, is suspicious. He points out that F-PROT is virtually unknown in the U.S., is produced by a lone Icelandic programmer, is untested here, and may not be well-supported. My request: would any of you Netlanders who have used F-PROT for a while let me know how well it works in your experience and if you have had any problems with customer support, bugs in the program, ease of use, and so on? Please email me your responses and I will post a summary to the Net. [Ed. I'd be willing to bet that there's at least one "lone Icelandic programmer" on this list that would be willing to help you out. :-) Still, an objective (read: independent) review of F-PROT and other products would be very appreciated. It's been a long time since we've seen such a thing here. Any takers?] - ----------------------------------------------------------- I don't want to die! Existence is one of my strong points! Ron Warren Evans... evans-ron@cs.yale.edu, evans@brandeis.bitnet U.S. Snail: 139 Salem St. #6, Boston, MA 02113 ------------------------------ Date: Thu, 08 Feb 90 16:30:00 +0000 From: "Olivier Crepin-Leblond" Subject: RE: Copyrighting virus code In VIRUS-L V3-34 Steven C Woronick writes: >Even if you could copyright viral code, it's >not likely to discourage the kind of people who write viruses (aren't >those the ones you are really after?) from copying it. Also, what >happens if some virus-loving person copyrights it before you do and >then grants universal privilege to copy? Just wondering... My idea was not to discourage hackers (or whatever name you give them) to write viruses. Thieves steal even though it is illegal ! The idea was to discourage computer users, students, etc. to hold copies of viruses. In December of last year, I went to a computer fair here in London. The machines concerned were PC compatibles. In one corner of the place (near the... bar) hackers were exchanging code, etc. It is perfectly illegal and I am sure the organisers of the exhibition were not aware of the events. I discovered it while waiting to get a drink (it's called eavesdropping). It seems that virus source code is highly sought after by these people, aged 17 -> 30. I can hardly imagine some individual copyrighting virus source code. Anyone doing that will probably be in for a lot of trouble... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng | On this computer, | |Electrical & Electronic Eng, King's College London, UK | a flame-proof | |BITNET : | shield, is an | |INTERNET: | expensive gadget... | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 08 Feb 90 20:59:34 +0000 From: vronay%castor.usc.edu@usc.edu (David Vronay) Subject: Re: Mac Virus Harmlessness [Joe McMahon] writes: >It's interesting, but up until now, most viruses on the Mac have been >"damageless" - the only reason the cause trouble is because of bugs >and incompatabilities, not deliberately harmful code. nVIR, at worst, >causes your Mac to beep in some cases (side effects are worse - >crashes, hangs, printing failures). > >Perhaps we just haven't had the right (wrong?) people writing Mac >viruses so far. Any ideas? (I am the last person who would want to add to virus paranoia, but..) More sobering is the possibility that there are viruses sitting dormant on our machines as we speak that are bug-free and thus-far undetected. Take WDEF, for instance. Consider a scenario in which the programmer had actually followed the compatability guidelines and produced error-free code. It would probably be quite a while before any of us had noticed this little "addition" to our desktop files. (I don't know about everyone else, but I don't exactly check my desktop file for new resources every day) When you consider that a) the reason we know about most of the viruses that are around today are due to stupid programming errors, and b) to date very few viruses have been manevolent, and c) to date most viruses have not been clever at all about how they replicate (WDEF, for example, could have patched itself into an _EXISTING_ WDEF resource, so that the infected WDEF would still perform normal, as well as viral, activity) one can only conclude that we are at the tip of the virus iceberg. The problem could get _much_ worse. - -ice ================================ reply to: iceman@applelink.apple.com AppleLink: ICEMAN disclaimer: (not (apples-opinion-p (opinions 'ice))) => T ================================ ------------------------------ Date: 08 Feb 90 21:30:07 +0000 From: bgsuvax!denbeste@cis.ohio-state.edu (William C. DenBesten) Subject: Re: Idea for WDEF Innoculation (Mac) jg3o+@andrew.cmu.edu (Jason Ari Goldstein) writes: > Just like everywhere else the WDEF is thriving here at Carnegie-Mellon > Univ. I recently removed WDEF A & B off of 15 disks of a friend of > mine. When I commented to somone here about the virus they said there > was nothing they could do to stop it, except remove it once a machine > got infected. Install Gatekeeper Aid 1.0.1. It will check a disk as it is inserted and remove the offending WDEF resource. It is an init that you stick in your system folder. It is available from most archive sources or your favorite software collector. > ... > The only problem with this is that it is a virus also, but with the > proper prompts (allowing the user the choice of being innoculated) I > don't think this would be a problem. I know I would mind not ever > being infected by a virus that kills other viruses. I most certianly do mind being infected by a virus. I don't care what it does or does not do. In theory, WDEF does not do anything destructive. In reality, WDEF causes wierd errors. Fonts misbehave and I blame it on Quickmail crashing. These are because of bugs in the virus code itself. The fact that I drag something to my system folder is me giving it permission to be executed in the future. I would much rather install something this way than have it copy itself lord-knows-where. There are additional problems. If there is a bug, it may not be obvious how to remove the virus. There is also the issue of updates. If it is automatically copied, you will get a large body of people using it, but not knowing or caring about making sure that they have the latest version. - -- William C. DenBesten is denbeste@bgsu.edu or denbesten@bgsuopie.bitnet ------------------------------ Date: Thu, 08 Feb 90 16:02:27 -0500 From: "Robert Del Favero Jr." Subject: Re: Disinfectant 1.6 (Mac) > I have recently read something about Disinfectant 1.6 from this >newsgroup. Its author said that there was no Disinfectant 1.6 and it >maigt cause potential porblems on virus detection. Someone in our lab >downloaded it and has been using it without any obvious trouble. I >would appreciate any further comments on this application. So, again, >is there any upgraded version of Disinfectant after version 1.5 ? If >not, is there any more information about this "fake" Disinfectant ? Here's the story. A few weeks ago, when the latest version of Disinfectant was 1.5, someone made a typo in a posting to comp.sys.mac referring to Disinfectant 1.6. The author of Disinfectant quickly pointed out that there was no 1.6 yet, and that if you saw a 1.6 *at that time* then it was a fake. Then, about a week ago, the author released a *real* 1.6 version with some new features. So, if your friend downloaded his copy of version 1.6 in the last week or so, it is probably legitimate. ------------------------------------------------------------------------- Robert V. Del Favero, Jr. ISC-Bunker Ramo, an Olivetti Company rvd@clunker.uucp Shelton, Connecticut, USA OR clunker!rvd@oliveb.atc.olivetti.com ------------------------------ Date: Thu, 08 Feb 90 11:18:59 -0600 From: "McMahon,Brian D" Subject: WDEF A hit, report & discussion (Mac) I suppose it was only a matter of time, but I can still appreciate the irony ... after posting a question about reporting and tracking infections about a month ago, I'm now in the position of reporting one myself. 1) DISCOVERY: "WDEF A" was found in several Macs at Grinnell College this past Tuesday, the 6th of February. The initial discovery came when a faculty member reported strange behavior on his machine, including "Application unexpectedly quit" under MultiFinder, usually associated with insufficient available memory. Disinfectant 1.5 spotted the infection. Besides machines in the faculty offices, the building in question also contains a secretaries' office, with a few machines used for service requests, etc. This common area was also infected, meaning that any faculty who had used the area or sent diskettes down were also hit. 2) INITIAL RESPONSE: Our first priority was to contain the outbreak and to install protective software (see below). Our Mac support staff (both of us! :-) made the rounds of faculty in the building. At each station, we would run Disinfectant to check the machines, and if WDEF was found, kill it by rebuilding the desktop file. No matter whether we found anything or now, we would install anti-viral software as we went along. We kept a running list of other potential victims, and wound up checking most machines on campus. Besides the faculty area, we found one isolated case in an administrative office (they frequently send disks to service bureaus), and to our embarassment, the public-signup station in the computer center itself. 3) FOLLOW-UP: Much to our relief, the infection appeared to be contained to the one faculty area and the two other machines. In particular, we were fortunate that it had not spread to faculty areas in other buildings or to the student lab. The public station in our office, which is used heavily for page layout and printing, posed more of a problem. However, we did have a signup log of users, and are contacting them individually. Our next step was user education. We drafted an article for on-line news and the newsletter, stressing the counter-measures available. We also placed copies of the anti-virus tools on the public Mac, and posted a condensed version of the newsletter article nearby. 4) TOOLS USED: For detection, we used Disinfectant 1.5. (1.6 arrived late the same day from SCFVM -- of course!) Removing WDEF was accomplished by rebuilding the desktop, and at the same time we installed GateKeeper 1.1.1 and GateKeeper Aid 1.0.1 to protect against future infections. 5) LESSONS LEARNED: Up until now, we had been very lucky at Grinnell. Instances of infection were almost non-existent. Although the level of virus awareness among the staff was fairly high, we'd been lulled into a sense of complacency. Specifically, we did not aggressively push the updates to existing tools that would have caught WDEF. In several cases, infected machines were running older versions of virus blockers, which the WDEF virus evades. We're now working on a way to get updates to the users promptly as they come out. 6) TRACKING WDEF: I've noticed a flurry of WDEF reports lately, including several from Midwestern sites, and (as mentioned) tracking the spread of a new virus or strain intrigues me. Wild speculation follows: Students who live in areas already infested by a new virus, but go to college elsewhere, also new or returning faculty, would make an excellent vector to spread the new critter nationwide. One conclusion is that the start of a new semester or term is a time for increased vigilance. Another would be that WDEF is now all over the place. *sigh* Personally, I suspect that our infection actually involved at least two sources, there being no plausible path between the faculty area and the admin office. Most likely, the one came from a user introducing it to the central secretarial area, the other from a service bureau. Usual and customary disclaimer, my opinions only ... (mumble). Brian McMahon Grinnell College, Iowa ------------------------------ Date: Thu, 08 Feb 90 22:21:02 -0500 From: Peter Jones Subject: Info on Stoned/Marijuana virus We suspect an outbreak of the Stoned/Marijuana virus at UQAM. Is there any information available on what damage this beast does, and how it propagates? What tools are available to combat it? CLEANP57 & co from John McAfee claim to be one possiblity. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: 08 Feb 90 23:06:50 +0000 From: Matthias Urlichs Subject: Re: Mac Virus Harmlessness In comp.virus, XRJDM@SCFVM.BITNET (Joe McMahon) writes: < It's interesting, but up until now, most viruses on the Mac have been < "damageless" - the only reason the cause trouble is because of bugs < and incompatabilities, not deliberately harmful code. nVIR, at worst, < causes your Mac to beep in some cases (side effects are worse - < crashes, hangs, printing failures). nVIR, in its very first incarnation, didn't beep. It took a random file in your System folder, and deleted it. Not good. When I found it on my Mac, I tried to alert people about this. That proved to be difficult. Someone at Apple Germany stated that due to the nature of the Mac's resource structure, virii are impossible on the Mac. (Ha!) I also didn't have any kind of AppleLink or Usenet access. The only way out, in my (at that time) unexperienced opinion, was to disassemble the beast and rewrite it so that it (a) superseded other versions of itself, (b) beeped instead of deleting files, and (c) announced itself. Change (c) seems to have got lost on its way -- nVIR has a habit of partial replacement. Testing was difficult because of general nonresponsiveness on the part of anybody I told about the virus, and of course because I feared that the original would spread too far. Please, no flames about my lack of common sense, sense of responsibility, or whatever. I know that already; what's more, it was some years ago and I seem to have grown up since then. Growing up, BTW, is something I would strongly recommend to any other virus "author" who seem to get a kick out of seeing their intruding code (crash) on as many Macs as possible. However, my nVIR version seems to have succeeded in destroying the older strain. At that time, there didn't seem to be any way to convince people about the virus threat except by example, and random beeps are somewhat more benign than silently thrashing files... Since all other virii on the Mac are "benign" in the sense that they don't deliberately destroy files, I guess it could have been worse. - -- Matthias Urlichs ------------------------------ Date: Fri, 09 Feb 90 12:36:59 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus Bulletin I mentioned the Virus Bulletin in a recent article, and as a result I have received a number of enquiries. The following note should answer the questions.... - ---------------------------------------------------------------------------- The Virus Bulletin is published monthly - average length maybe 16 pages or so. It contains detailed dissections of viruses, reviews of anti virus software, virus-related articles, hexadecimal search patterns etc. Contents of the February issue: Editorial Virus Reports Guidelines for Virus Prevention & Post-Attack Recovery IBM PC virus patterns Dissection: Dark Avenger High-Level Programs & the AIDS Trojan Evaluation: Virex 2.3 Macintosh software list Evaluation: Iris Anti-Virus Software News The editor (Edward Wilding) does not have access to the net yet. The list of editorial advisors is impressive: Jim Bates, Bates Associates, UK Dr. Fred Cohen, Advanced Software Protection, USA Phil Crewe, Fingerprint, UK Dr. Jon David, USA David Ferbrache, Heriot-Watt University, UK Dr. Bertil Fortrie, Data Encryption Technologies, Holland Hans Gliss, Datenschutz Berater, West Germany Ross M. Greenberg, Software Concepts Design, USA Dr. Harold Joseph Highland, Compulit Microcomputer Security Evaluation Laboratory, USA Dr. Jan Hruska, Sophos, UK Dr. Keith Jackson, Walsham Contracts, UK Owen Keane, Barrister, UK Yisrael Radai, Hebrew University, Israel John Laws, RSRE, UK David T. Lindsay, Digital Equipment Corporation, UK Martin Samociuk, Network Security Management, UK John Sherwood, Computer Security Consultants, UK Roger Usher, Coopers & Lybrand, UK Dr. Ken Wong, BIS Applied Systems, UK Subscription is restricted - only companies, universities and qualified individuals. Price: US$ 350/year or UK pounds 195/year Subscription enquiries: Virus Bulletin Ltd, Haddenham Aylesbury HP17 8JD England US subscriptions: June Jordan Virus Bulletin P.O.BOX 875 454 Main Street Ridgefield CT 06877 USA - ------------------------------------------------------------------------- Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253