VIRUS-L Digest Thursday, 4 May 1989 Volume 2 : Issue 105 Today's Topics: Virus - worm combinations: A future trend? Virus Plurals Chroma trojan horse (PC) checksum algorythm (c) Brain ?????????? (PC) old question - AV software info request (PC) Possible virus, info request (PC) Boot viruses - forwarded from HomeBase (PC) --------------------------------------------------------------------------- Date: Sun, 30 Apr 89 16:02:48 +0200 From: David Stodolsky Subject: Virus - worm combinations: A future trend? Joe Sieczkowski in "RE: Review of THE COMPUTER VIRUS CRISIS," Virus-L Digest, 2(93), points out that the definition offered distinguishing between virii and worms in "Review of THE COMPUTER VIRUS CRISIS" (Mark Paulk Virus-L Digest, 2(92)) is not that accurate. Joe adds "If the [worm] program had modified the actual sendmail and fingerd (sic) executables in such a way that they would in turn modify other machines S&F executables, then it could be called a virus." The threat posed by virus - worm combinations was previously mentioned in "Net hormones: Part 1 - Infection control assuming cooperation among computers." The relevant paragraph reads: "An inapparent infection could spread rapidly, with damage noted only much later. Consider a worm that is constructed to carry a virus. The worm infects a system, installs the virus and then infects other nearby systems on the net. Finally, it terminates erasing evidence of its existence on the first system. The virus is also inapparent, it waits for the right moment writes some bits and then terminates destroying evidence of its existence. Later the worm retraces its path reads some bits, then writes some bits and exits. The point is that an inapparent infection could spread quite widely before it was noticed. It also might be so hard to determine whether a system was infected or not, that it would not be done until damage was either immanent or apparent. This analysis suggests response to network-wide problems would best be on a network level." (Citation: Stodolsky, D. (1989). Net hormones: Part 1 - Infection control assuming cooperation among computers [Machine- readable file]. van Wyk, K. R. (1989, March 30). Several reports available via anonymous FTP. Virus-L Digest, 2(77, Article 1). Abstract republished in van Wyk, K. R. (1989, April 24). Virus papers (finally) available on Lehigh LISTSERV. Virus-L Digest, 2(98, Article 4). (Available via anonymous file transfer protocol from LLL-WINKEN.LLNL.GOV: File name "~ftp/virus-l/docs/net.hormones" and IBM1.CC.LEHIGH.EDU: File name "HORMONES NET". And by electronic mail from LISTSERV@LEHIIBM1.BITNET: File name "HORMONES NET")). In January I started writing a paper, "Virus infected worms in information machines." The virus - worm combination has both negative and positive implications. In the biological world, virii have been very effective in controlling bacteria that cause disease in farm animals, etc. So far, the only thing I have seen like this for computers is the "KillVirus" init. As discussed earlier, it is a "virus" that overwrites and thereby destroys an invading one. The key problem seems to be how to develop a virus that has no negative affects, except on an invading agent. Are there any wizards, virus writers, etc. who will accept this challenge? - -------- David Stodolsky Routing: <@uunet.uu.net:stodol@diku.dk> Department of Psychology Internet: Copenhagen Univ., Njalsg. 88 Voice + 45 1 58 48 86 DK-2300 Copenhagen S, Denmark Fax. + 45 1 54 32 11 ------------------------------ Date: Tue, 02 May 89 12:15:45 EDT From: "Gregory E. Gilbert" Subject: Virus Plurals For all of you out there who might be confused between: viruses viri or virii. According to the Second College Edition of The American Heritage Dictionary the correct plural form of virus (drum roll please.......) viruses . Please note that I will not be offended if any of the others are used, nor should this message be conceived as snobby or condescending, I was curious as to which is the "preferred" plural form and thought that others out there in virusland (or is that viriland, viriiland, virusesland ?????) might want to know also. ------------------------------ Date: Tue, 02 May 89 14:21:51 -0700 From: Steve Clancy Subject: Chroma trojan horse (PC) This is a short bulletin that I recently posted on our BBS. I want to emphasize that I DO NOT have all the facts, and am not trying to start a wild rumor. The user who informed me of this possible trojan horse (as opposed to a virus) is reliable. -- Steve Clancy Original-April, 19th, 1989. Irvine, CA. TROJAN HORSE ALERT! John Cook of the French Connection BBS, just informed me of a possible Trojan Horse that has surfaced in this area. Details are sketchy. All I have to go on is what he told me. Evidently, someone downloaded a file called "HARDCORE.ARC" which contained a file called either "CHROMA.EXE" or "CHROMA.COM." This person ran the program, and it displayed something approximating the following message on the screen: "The worst possible thing has just happened to your hard disk!" I don't have details on exactly what happened to this person's hard disk, but at very least the TH seems to have erased all files. Again, details are very sketchy at this point, but John is a reliable source. As more info becomes available, I will update this bulletin. Steve Clancy, Wellspring RBBS, 714-856-7996, 714-856-5087 U.C. Irvine, California, USA. ------------------------------ Date: Tue, 2 May 89 11:01:45 CDT From: "Len Levine" Subject: checksum algorythm In an earlier Virus-l dmg@mwunix.mitre.org states: >I believe it is possible to use a checkfunction in a constructive >manner to detect even the most advanced computer viruses, and it >involves a technique called a "cryptographic checkfunction". It is fairly easy to use a even simple CRC with a non-standard polynomial to fool any arbitrary virus. There is no way that a virus writer can determine what polynomial you are using, as the program that does the ckecking need not be stored in any special place on the system for the virus to check against. As long as you use a polynomial for the CRC that is not published, no virus can match it. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Wed, 03 May 89 13:12:35 CDT From: Michael K. Blackstock Subject: (c) Brain ?????????? (PC) I am a student at Mississippi State Univ. and some of the computer disks around here are getting odd data on them. All of the disk that I have seen have the label (c)Brain. Doen any one out there know what this is, is it a anti-virus or is it a virus itself? I look at the disk with a program called Master Key and I found this in sector number 0. < J.4 Welcome to the Dungeon (c) 1986 Brain. & Amjads (pvt) < Ltd VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic < memories of millions of virus who are no longer with us today - < Thanks GOODNESS!! BEWARE OF THE er..VIRUS < \this program is catching program follows after these messeges... If anyone knows what this is infecting the disks on campus please let me know. Michael K. Blackstock ELTRUT@MSSTATE P.S. Thanks................... [Ed. Sure sounds like the Pakistani (aka Brain) virus to me. There have been some excellent technical descriptions of the Brain published on VIRUS-L. Does someone have one of these handy that they could send to Mr. Blackstock (directly)?] ------------------------------ Date: Wed, 3 May 89 17:00 EST From: "Shawn V. Hernan" Subject: old question - AV software info request (PC) Please anyone, Where can I get virus detection/removal software from some network? I am looking for MS-DOS stuff, I have all the Macintosh stuff I need, and I know where to get it. But I run a library of about 500 MS-DOS packages and I need to check for/eliminate viruses. I am hoping to get public domain or shareware stuff. Any help is appreciated. If possible, please respond directly to me, as this is rather urgent. Thanks.... - ------------ Shawn V. Hernan - -------------------------------------------------------------------------- Computing and Information Systems (Computer Center), Academic Computing University of Pittsburgh valentin%VMS.CIS.PITTSBURGH.EDU@VB.CC.CMU.EDU 4015 O'Hara Street valentin@PITTVMS.BITNET Pittsburgh,Pennsylvania 15260 valentin@cisunx.UUCP (412) 624-9356 valentin@CISVM{1,2,3}.CCnet __________________________________________________________________________ ------------------------------ Date: Wed, 3 May 89 17:48:55 EDT From: vanembur@gauss.rutgers.edu (Bill Van Emburg) Subject: Possible virus, info request (PC) My friend's PC-compatible seems to have a virus, and I don't have enough experience with IBM viruses to recognize it. Does this sound familiar to anyone?? This virus (if it really is a virus) modifies the command.com file. The result of this the next time you boot the machine is that all .exe files are no longer executable. The machine boots just fine, and .bat files run, but the autoexec.bat file dies when it tries to execute xtree.exe. The .exe files are still there, they just can't be run. Diagnostics were run on the hard drive, and everything checked out. When the command.com file was re-copied from an original DOS 3.3 disk, everything started working normally again. The BIG question: Was the virus killed when the command.com was re-copied? How can we be sure that it isn't residing somewhere else, waiting to try it's little game again? The secondary question: Does anyone recognize this virus? Does anyone have any additional info (background, how it works, what it does, where it hides, and how to detect it) on it? -Bill Van Emburg Rutgers University ------------------------------ Date: Sun, 30 Apr 89 05:36:50 EDT From: Bruce Burrell Subject: Boot viruses - forwarded from HomeBase (PC) I was asked by Frank Nalls, a user on HomeBase Virus BBS, to forward this message to VIRUS-L. I'll forward responses to him there; if you want to send private mail to him through me, that's fine too (BPB@um.cc.umich.edu) ----------------------------------------------------------------------- I have just finished reading the Virus-L postings for the past year or so and found a lot of good information in them. I'm concerned, though, about some of the virus product attitudes that I've seen expressed. Jim Goodwin, Mark Shaw and Tim Sankary reported on the most common infections from over 700 corporate occurences and and found that over 90% of PC infections were caused by one of the following viruses: . Pakistani Brain (Basit and Mjad Original) . Pakistani Brain HD Version . Alameda (Yale) . Alameda (Version - C, Modifies FAT) . Australian (Stoned) - Original Version . Venezuelan (Den Zuk) . Venezuelen-CX (No display) . Ping Pong (Italian) . Nichols (Original Version) The reason I bring this up is that all 9 of these viruses are boot sector infectors. Virus filter products (like Flu-Shot+ and C-4) can't prevent or even detect any boot sector virus. Yet I see these products hyped as good virus protection products. Anyone who claims these products works either has never seen a boot sector virus or has never tested these products against them. The only products that are even remotely useful against these viruses are logging products like Virus-Pro, Sentry, Magic Bullets and other detection type products. I'm not trying to flame Mr. McAfee's C-4 or Mr. Greenberg's Flushot+, it's just that the products don't match virus realities. I also have to strongly disagree with Mr. David Bader's assessment of Sentry. I suggest he try some live viruses and check the differences himself. Frank Nalls ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253