VIRUS-L Digest Wednesday, 21 Dec 1988 Volume 1 : Issue 56 Today's Topics: followup on alleged modem virus (PC) File: Misc. Notes: Virus Listings / Pc Mag Article Write protect circuitry on Apple II line Re: Can virus be placed on blank formatted disk? (PC) Write Protect Gritch Can virus be placed on a blank formatted disk? (PC) Nightline virus program Questions about the Hard Drive (PC) You can't fool the write protect line w/software (PC) virus in bad sectors of an unbootable floppy (PC) Problems with commercial software (PC) --------------------------------------------------------------------------- Date: Wed, 21 Dec 1988 9:11:09 EST From: Ken van Wyk Subject: followup on alleged modem virus (PC) It's been brought to my attention that the report of a modem virus here on VIRUS-L a couple weeks ago was a hoax. After looking at the original announcement of the virus, I'm inclined to agree with that. Specifically: > TIME: TUE 10-04-88 03:17:41 > FROM: MIKE ROCHENLE > TO: ALL > SUBJ: Really nasty virus > AREA: GENERAL (1) > > I've just discovered probably the world's worst computer virus yet. > ...[Body of text deleted] > do now is to stick to 1200 baud until we figure this thing out. > > Mike RoChenle In addition to the fact that the reported virus is highly incredible, as was pointed out by several of our readers, it's even more unlikely that someone would have the name Mike RoChenle (read: Micro Channel). Thus, unless someone can come forward with some substantial evidence on this matter, I'd like for everyone to assume that the reported virus was a hoax. Obviously, I can't follow up on every message that gets sent to VIRUS-L, but I would like to ask all persons submitting messages, particularly when forwarding messages from other sources (as was the case here), to confirm their sources of information, within reason. I certainly don't want VIRUS-L to become a source of disinformation, and I'm sure that the readers don't want that either. Thanks in advance for everyone's cooperation on this. Oh, and Happy Holidays to all! Ken ------------------------------ Date: Wed, 21 Dec 1988 09:31 EST From: [Ed. No From: field, I assume this is from J.D. Abolins?] Subject: File: Misc. Notes: Virus Listings / Pc Mag Article VIRUS LISTINGS: Brett Ingerman and anybody else interested in compiling a virus "Dirty Dozen", let's keep in contact. Pam Kane is putting up a message on Delphi in order to find out how to contact Eric Newhouse. I still needto cull together some tools for desinating the cases on the listing so that the listing does drive university and other institutional public relations people up the wall. A possible format for a listing would a "neutral" identifier followed by the various names the virus is called. Then the symptoms and any particular qualities it may have. If the recovery procedure have any special indications, these would be mentioned with the listing for the virus. At the end of the listing would be general recovery procedures. PC MAG ARTICLE: Recently somebody mentioned that John Dvorak's column of a few months ago claimed that software writers were already using viruses to attack competitors' products. From my recollections, the gave this as a hypothetical future scenario, not as a statement of current practice. While there have case were virus code was considered as a means of dealing with piracy and copyright infringement, no major "virus wars" are going on for now. (I have heard reports of immature BBS SysOps sabotaging eachother's systems with Trojans and viruses, but that's a different matter.) ------------------------------ Date: Wed, 21 Dec 88 08:27:39 EST From: Joe Simpson Subject: Write protect circuitry on Apple II line Apple 2 5.25 inch drives had circuit level protection for disk drive write protection. Many people installed switches on the drive to circumvent this. ------------------------------ Date: Wed, 21 Dec 88 09:15:15 EST From: "Christian J. Haller" Subject: Re: Can virus be placed on blank formatted disk? (PC) >Date: Wed, 21 Dec 88 06:44:57 EST >From: "Homer W. Smith" > Still not clear on this. If I put a fresh floppy in the A drive >and format it, can the virus be laid down on the floppy at this time? Yes, if your FORMAT command has been subverted by a virus. >If I then copy files from the C drive, can the virus be laid down at >this time? Yes, if your COPY or DISKCOPY or XCOPY command has been subverted. > If I attempt to warm boot the machine with the empty floppy in >place, this results in a failure to boot of course, but can the virus >be laid down at this time? Yes, if the warm boot key sequence has been trapped and subverted. There is a BIOS call that generates a warm boot without clearing active memory. There is no corresponding key combination that can produce this, but a program can do it easily. > Let's say the floopy gets infected. How can it then infect >another machine? During a warm or cold boot with the floppy in >place (causing boot failure)? Yes, either one. The boot sector of the floppy is small, but can easily point to someplace in memory, which could survive an apparent warm boot, or to some obscure file on a hard disk, which could survive a cold boot. > If the floppy is infected must it have bad sectors? Won't >checkdsk find this out? If the disk has no bad sectors, does this >mean the floppy is clean of all or just certain viruses? With only a boot sector's worth of space, a virus couldn't be very elaborate. A floppy-based virus would probably have info stored in bad sectors, like Brain, but not necessarily. Given complete control of the File Allocation Table, a virus could hide its presence by appearing to be junk in unused sectors at the end of the diskette. Given complete control of the disk controller hardware and its pattern of representation in memory, other things may be possible, like writing between the formatted sectors on the diskette, or outside the pattern of formatted tracks. The PC system is more full of holes than Swiss cheese, and I expect the same goes for other kinds of systems too. > The implication in a past posting is that some brain viruses >will cause debug to not execute properly d0:0. Is this the boot >sector? And is this correct about brain? I don't know about Brain's location in memory, but you could take a look at the chapter on memory in the MS-DOS Encyclopedia in our Software Lending Library, 126 CCC, Homer. Too bad you missed my talk on viruses. - -Chris Haller Acknowledge-To: ------------------------------ Date: Wed, 21 Dec 88 09:43:09 EST From: Don Alvarez Subject: Write Protect Gritch OK gang, we're now up to 547 comments on write protect tabs. 99.9% of these took the form of either "somebofy told me it was hardware" or "somebody told me it was software." I may have missed one, but near as I can recall, the ONLY PERSON who actually did his homework right was our fearless leader, Ken. I know Ken doesn't like people flaming on the list, so maybe I'll get booted for saying this, but PLEASE, if somebody asks a question which has a simple, yes or no answer, and you want to respond with an nth generation rumor of unknown origin, keep it short, because a thousand people or more are going to have to take the time to read what you say. Better yet, if you want to respond to it, be an experimentalist like ken and read the manual or write a piece of code or something. *Flame off* - Don + ----------------------------------------------------------- + | Don Alvarez MIT Center For Space Research | | boomer@SPACE.MIT.EDU 77 Massachusetts Ave 37-618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + ------------------------------ Date: Wed, 21 Dec 88 08:53:38 EST From: Joe Simpson Subject: Can virus be placed on a blank formatted disk? (PC) I'm sorry I was not clear. Viruses are a lot like game theory from hell. 1. Places for viruses to remain dormant. If it's magnetic and fits in the drive it can be infected. 2. Places for viruses to be active. As far as I know there is only one place for a to be active. That is the computers primary store, where instructions can be fetched and interpreted by the CPU. For most PC's this means ram. Note that the ram may be battery backed up! If it is not, then removing power from this ram is the ONLY safe way to kill an active virus image. 3. How a virus activates. As far as I know, all viruses are activated by inserting virus activation code in software routinely executed by the PC. Obvious places for this are the boot block of a floopy, with or without DOS on it, the DOS hooks where reading and writing take place, and the keyboard interrupt hook. 4. My conclusions. If you have an active ram based image of a virus in your system, it can do anything it has been programmed to accomplish, including writing on any magnetic media it wants to. NOTE: Thanks to Ken's rigorous inclinations, I feel comfortable in declaring that viruses don't have access to write protected floppies on IBM PC's (old 5.25 style machines). 5. What can you do? Pray Run protection software like FluShot for partial protection. Routinely check your hard disk for infection. Sample floppies to check for virus infection. Get a lawyer to write an obnoxiious, unfair, and effective statement of limited liability. ------------------------------ Date: Wed, 21 Dec 88 10:06:28 -0500 (EST) From: Leslie Burkholder Subject: Nightline virus program Did anyone tape the Ted Koppel Nightline program on viruses (for deferred viewing) run on 10 November? Please reply to lb0q@andrew.cmu.edu, rather than the list. Thanks, Leslie Burkholder ------------------------------ Date: Wed, 21 Dec 88 10:22:07 EDT From: Swifty LeBard Subject: Questions about the Hard Drive (PC) Query: What can any of the known viruses do to the Hard Disk? Can they actually disrupt data, or even damage the drive? It now seems that the viruses can actually infect write-protected diskettes, how will this effect the hardware of the Hard Disk? I also want to thank Christian J. Haller for his info. I learned a lot from it! (I just joined virus-l). +------------------------+ | O | | ~|\o-# Swifty LeBard | | // | +------------------------+ [Ed. Oh no... Take a look at the following message from Richard Baum and John Hunt; write-protection is done in hardware.] ------------------------------ Date: Wed, 21 Dec 88 11:40 EST From: X-=*REB*=-X Subject: You can't fool the write protect line w/software (PC) According to the circut diagram from IBM for IBM 5.25" diskette drives, (From the logic diagram section in the IBM technical reference guides) the write protect mechanism is a hardware device that takes its input from the write protect switch. Normally, the switch remains closed. When a write protect tab is placed in front of the switch, the switch is opened. Then, the erase line and the write signals are disabled. This is directly controlled by the switch. There is a provision for this to be jumpered so that the drive permanently ignores the write protect switch. Thus, all the talk recently of this being controlled by software is incorrect. Richard Baum & John Hunt PS: We have not examined the circut diagrams for 3.5" drives, but we assume that they work in a similar fashion. ________________________________________________________________ /InterNet:kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St Suite #1, Bethlehem, PA 18015 215-867-8433", /NJ Slownet: 861 Washington Avenue Westwood, NJ 07675 201-666-9207 ", "--------------------------------------------------------------------" If you'll be my Dixie chicken, I'll be your Tennessee lamb, and we can walk together down in Dixie land... [Ed. Thanks guys! The only possible weak link then would be a malfunctioning write-protect sensor (normally an optic sensor, I believe). If the light to the sensor passes through the tab due to a tab being not opaque enough, then I'd assume that the drive might believe that the drive is ok to write to. Likewise, if the light is sent and detected on the same side of the disk via a reflector on the other side, and if the write-protect tab itself is reflecting light, then the detector might get an incorrect signal. The solution, of course, is to use black non-reflecting write-protect tabs, and to trust the hardware to do its job. Let us all hope that this issue has been cleared up once and for all. Thanks to everyone who helped out!] ------------------------------ Date: Wed, 21 Dec 88 11:24:26 EST From: Jefferson Ogata (me!) Subject: virus in bad sectors of an unbootable floppy (PC) There's no harm in a virus hanging out in "bad" sectors of an unbootable, source-only floppy; the virus cannot be invoked. Even if an executable is copied to the disk later, it won't be linked with the virus in any way. All a virus can do by putting itself on bad sectors is take up disk space, since nothing will ever read memory from those sectors. The only danger will be if the virus is also in the boot block somehow. If the disk is bootable, or has an infected executable, then either of those programs could load the virus off the bad sectors. I don't know the format of the boot record, but if IBM did things with their customary stupidity, the OS loads a boot program off the block and attempts to execute, regardless of whether there was a boot program actually on the disk. However, I give them credit for having done something different, because if you try to boot a non-system disk, it behaves in a predictable manner. So either the formatter puts a program on the boot block that prints the message: Non-system disk, etc., or the OS looks at the boot record and sees that there's no boot program there. Putting an unfunctional boot program there would allow virus infection of an unbootable diskette, since the virus could hook up to the boot program. Any time you did a warm boot, the virus would get executed and then you'd see the non-system disk message. This would have been a stupid design decision for (among others) precisely this reason. Having the OS check for a boot program is a tougher situation for the virus. In this case, there is a magic number or some other indication of whether a program is residing on this block. The OS checks this indicator and performs accordingly. A virus could still infect an unbootable disk by jumping on the boot block and pretending it's a boot program, but in order to be inconspicuous it would have to then print out a non-system disk message and wait for the user to load a new disk. I haven't heard of any virus that does this. So there are basically two scenarios: 1: the OS always loads and executes whatever is on the boot block; in this case, the formatter must always put a program in the boot block, or the computer would hang. 2: the OS checks what's on the boot block and then loads and executes it if there's something there. In scenario 1 virus infection is pretty easy; in scenario 2, it requires a more sophisticated virus. Does anyone know which is the actual case (or if I've missed something)? Someone with a Technical Reference? A corollary of scenario 2 is that if such a virus does not exist, there is no danger in a virus inhabiting "bad" sectors of an unbootable, source-only disk. Some people have talked about doing low-level formats of their hard disks in order to kill a virus. I'm curious as to what ye believe the difference is as far as virus infection is concerned. Does a bad-sector virus have some method of linking its lost segments back into a file? Whenever a new FAT is created, no file will ever use those bad sectors unless a virus links them up again. If the sectors are recovered, their contents will be irrelevant. Even if the contents remain in an execut- able file, through a very unusual procedure involving a copy program that opens its output file read-write, the virus code will no longer be part of the code segment of the executable. And I don't think any such copy program exists anyway. So what is the thing with a low-level format that will destroy a virus when a normal format won't? - - Jeff Ogata ------------------------------ Date: 21 December 1988, 18:50:18 CET From: Thomas Zielke 0441/798-3109 113355 at DOLUNI1 Subject: Problems with commercial software (PC) We have recently heard from people having trouble formatting disks on their MS-DOS-PCs. In fact their computers did not allow formatting, reading or writing diskettes of any type. Some also reported that some files or programmes residing on the harddisk were damaged or even destroyed. We have already found out that only those who had a copy of a game called 'Leisure Suit Larry' installed on their disk were affected. Actually, this game was to be found on some PCs at our Computer Center, and the people in question 'just made a copy' of it. Our problem now is: How can we get rid of that virus (at least, we believe it to be one)? Has anybody heard of it and can help us to solve our problem? I would be most glad to get some mail... Yours truly Thomas Zielke (113355 at DOLUNI1) - - we never ask for a wonder - we simply produce one - ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253